A *competent* CPU engineer would fix this by making sure speculation
doesn't happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.

https://news.ycombinator.com/item?id=10518480

Aye, too many people have this defeatist attitude that since perfect security will never be possible, therefore the only valid solution is reactive security (bug-patch cycles). Patch dependence is considered too entrenched for making some changes like replacing ambient authority with capabilities, using failure-oblivious computing [1] to redirect invalid reads and writes, using separation kernels, information flow control, proper MLS [2], program shepherding for origin and control flow monitoring [3] and general fault tolerance/self-healing [4].
I used to look up to Linus Torvalds as many did, but am increasingly beginning to see him as a threat to the advancement of the industry with his faux pragmatism that has led him to speak out against everything from security to microkernels and kernel debuggers.
[1] https://www.doc.ic.ac.uk/~cristic/papers/fo-osdi-04.pdf
[2] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.52....
[3] https://www.usenix.org/legacy/events/sec02/full_papers/kiria...
[4] https://www.cs.columbia.edu/~angelos/Papers/2007/mmm-acns-se...