You would not send requests to keepass in order to leak passwords. Instead, you would try to setup the branch prediction cache in way such that during ordinary execution, keepass will causes cache accesses dependent on secret data b.c. of the code that is speculatively executed due to indirect branch prediction (you setup the branch prediction cache in such a way that it executes your "gadget" to leak things). So yes, assuming you manage to get enough control over the addresses of things in memory via javascript (may be hard, but there are known ways to defeat ASLR via javascript as well), I think you should be able to attack keepass even if V8 fixed it.