To me, this is one of the many ingenious things about TeaVM's architecture. By using the preferred code execution mechanisms of browser vendors (WASM and ECMAScript, plus Web APIs) to deliver Java code, it ensures they can't block or shut down this delivery mechanism. They would have to cut off their noses to spite their faces.
Furthermore, since the browser vendors never want browser code to have public security issues, they work hard to find and fix problems in their sandboxes and runtimes. This of course benefits TeaVM apps as well, since they play in those same sandboxes, and gives them a level playing field with other web apps in perpetuity.
Plugin-based applets were only safe as long as Sun had clout and the browser vendors were investing less in security than the Java team.
True, WASM adoption is still low and could feasibly be removed, but TeaVM lets you target both JavaScript and WASM GC backends, so you are future proofed either way.
Furthermore, since the browser vendors never want browser code to have public security issues, they work hard to find and fix problems in their sandboxes and runtimes. This of course benefits TeaVM apps as well, since they play in those same sandboxes, and gives them a level playing field with other web apps in perpetuity.
Plugin-based applets were only safe as long as Sun had clout and the browser vendors were investing less in security than the Java team.