I can play pretty good smooth 3D games on my IE through plug-in. If both WebGL and plug-in are vulnerable to attacks, why would I choose WebGL over plug-in?
In fact, I would choose plug-in over WebGL because the plug-in only runs one game, and virus dev wouldn't be bothered to attack a single game engine. On the other hand, WebGL is a much bigger target for attacks.
And if I am the 3D engine plug-in dev, I simply embed the shader files as part of my compiled plug-in, and only read data such as texture, mesh, coordinates, and other non-shader related data (no write, only read). That would already make my plug-in powerless to support virus.
