Somewhat related to #41, it's worth thinking about what CSP policies will apply to the ESM integration when importing Wasm.

Currently the Wasm CSP spec defines wasm-unsafe-eval to be required for all JS API usages.

Would the ESM integration form an exception here when importing Wasm in that it maintains full control of the script src? Or would it simply adopt this same policy?