I think perhaps you and the GP are defining auditable slightly differently. There's being able to look into and figure out what the code you wrote is doing because you have source maps or pre-compilation source, and then there's being able to see what third party code that your browser is downloading and running is doing. Given how hard that can be with JavaScript and obfuscation, I imagine an obfuscating compiler for WASM can do quite a bit if you're willing to take a performance hit on the running code. And something tells me that the entities most interested in obfuscating what their code is doing are more often than not likely to not care too much about the CPU and battery life ramifications of making their code less performant.