CPU vendors always say this when an exploit is published before they mitigate.
Sometimes they mean "no we don't think it's exploitable", sometimes the charitable reading is "we don't think anyone is exploiting this and we think developing an exploit will take quite some time".
Unfortunately they never reveal exactly that they mean. This is very annoying, because when it's the former case, they're often right! Security researchers publish bullshit sometimes. But the vendors basically leave you to figure it out for yourself.
And from the paper seems like they played it interestingly in the researchers direction as well:
"1.2. Responsible Disclosure
We disclosed our results to Apple on May 24, 2024.
Apple’s Product Security Team have acknowledged our
report and proof-of-concept code, requesting an extended
embargo beyond the 90-day window. At the time of writing,
Apple did not share any schedule regarding mitigation plans
concerning the results presented in this paper.
"
Sometimes they mean "no we don't think it's exploitable", sometimes the charitable reading is "we don't think anyone is exploiting this and we think developing an exploit will take quite some time".
Unfortunately they never reveal exactly that they mean. This is very annoying, because when it's the former case, they're often right! Security researchers publish bullshit sometimes. But the vendors basically leave you to figure it out for yourself.