Spectre is not going to be fixed for code within the same address space and allows to read all process memory from untrusted code. Google in V8 tried to protect against that, but they mostly gave up as there were way too many ways to affect the cache.