Well, maybe I'm wrong :-) my relationship with CloudFlare ends at me being a customer, there is a significant chance that my impression of how Workers (or its security setup) works is wrong. If you want to be sure, ask CF.
In the conclusion of a recent Spectre paper published by a number of Google security researchers they write:
"The community has assumed for decades that programming language security enforced with static and dynamic checks could guarantee confidentiality between computations in the same address space. Our work has discovered there are numerous vulnerabilities in today’s languages that when run on today’s CPUs allow construction of the universal read gadget, which completely destroys language-enforced confidentiality"
CloudFlare believes this doesn't apply to them and that they have created defences which allow them to run multiple customers' code in the same address space without leaking memory. I think the burden of proof is on CloudFlare, and I'm yet to see them actually publish any information about this.
Well, maybe I'm wrong :-) my relationship with CloudFlare ends at me being a customer, there is a significant chance that my impression of how Workers (or its security setup) works is wrong. If you want to be sure, ask CF.