WASI is the best format for code submitted by users, entirely untrusted, which is in principle of any complexity but expected to be pretty simple. It works on any platform, in any environment, with extreme and direct control over its access to every resource and its ability to execute at all. Wasmtime's "fuel" feature is not something you can do with containers, and if you can do it with VMs then I don't know about it, but VMs are behemoths for the task of executing a simple function that would in an alternate universe be CEL.