Yes, all customer PV instances in EC2 are running in an HVM container and are protected against the guest-to-guest Meltdown vulnerability.
As with all virtual and physical machines, patches are necessary to protect against process-to-process Meltdown within the OS itself. Those are starting to roll out from the respective vendors although it will take time for those to work inside a PV instance.
The intention, from my understanding, is not to boot multiple PV guests inside of one HVM shim, but instead treat it as more of a packaged deal - for each PV guest, you will be running it inside an independent vixen shim. So 5 PV guests, 5 vixen shims, etc.
As with all virtual and physical machines, patches are necessary to protect against process-to-process Meltdown within the OS itself. Those are starting to roll out from the respective vendors although it will take time for those to work inside a PV instance.