Xwidgets is little more than a gimmick, which:

+ Is not cross-platform and never will be

+ Depends on X and GTK (bad!)

+ Substantially reduces the stability of Emacs due to GTK memory leaks and bugs (terrible!).

This is also the reason that many Emacs users compile Emacs without GTK toolkit support on Linux.

+ Introduces serious security issues via the webkit part, and no, host/browser process isolation isn't really doing anything to mitigate this.

With all that in mind, I'm wondering why they bothered including it in the first place. It will never amount (at least I hope so) to anything that can be reliably depended upon.

When you say "move M-x customize to gtk widgets", which text based would you replace with GTK widgets? Customize certainly doesn't initially seem as friendly as a traditional preferences dialog, but I would be hesitant to lose the "it's all text" navigability and consistency.

Having a friendlier, good looking "Preferences" based on gtk would help newcomers. We could keep customize too but a new panel with simple familiar look would help a lot of people to get into emacs.

Emacs is not only on GTK. I doubt any indispensable core components will depend on xwidgets unless it can embed each toolkit emacs can use. Further, customize is used on the terminal emulator and on the framebuffer too, having it require X is not feasible.

Would it be any more of a security risk than using a stand-alone browser?

Standalone browsers make a lot of special efforts to isolate pages from one another. Does embedding have the same guarantees?

Yes. WebKitGTK+2 uses isolated renderer/host processes.