[rst]

Site isolation mitigates variant 1 of Spectre, which would otherwise allow hostile JS (served, e.g., from an ad server) to read the contents of web pages in other tabs (or anything else in browser memory -- passwords, etc.). Google has a PoC exploit for this.

[floil]

It's not just other tabs: because of iframes, a single page can be composed of content from arbitrarily many sites. Without a browser architecture that allows documents embedded via iframe to be rendered out of process, each tab's process needs access to passwords, etc for every site.

Once you have support for out of process iframes, you can lock down each process so that it doesn't have access to data for sites other than the one it was created to render documents for. That lockdown is what can prevent Spectre variant 1 from being used to steal data cross-site: the data is no longer in the process to steal.