A page could load thousands of images and thousands of tiny CSS files.
None of that is JS, all of that is loads of extra requests.

Never mind WASM. It’s a portable compiled binary that runs on the browser. Code that in c#, rust, python, whatever.
So no, JS is not the only way to poorly implement API requests.

Besides, http/2 has connection reuse. If the IP and the TLS cert authority is the same, additional API/file etc requests will happen over the established TLS connection, reducing the overhead of establishing a secure connection.

Your dislike is of badly made websites and the prevalence of the browser being a common execution framework, and is wrongly directed at JS.