[mambodog]

can you describe the threat vector here? how exactly could it be used to do that? keeping in mind the cross origin limitations mentioned in the spec, and that the timing resolution is no different to JS timestamp methods already available to code run in this context

[capableweb]

It's yet another data point for fingerprinting. Similar to how you can use audio and canvas for fingerprinting. See https://audiofingerprint.openwpm.com/ for audio example. You could replicate the audio fingerprint example with performance characteristics instead and use in connection with other data points to build identifiers of users.