There are working proof of concept attacks. The only reason you don’t hear more about this is that the mitigations being complained about here are universally enabled in the most vulnerable targets, like cloud hosts.
Otherwise it would be pretty trivial to weaponize the original demonstration, deploy an image to AWS or Google Cloud and read out all your neighbours’ secrets.
The success of the mitigations in rendering these attacks unworkable is literally the only reason people are under the mistaken impression that the cost of the mitigations isn’t worth it “because these attacks don’t happen”.
Otherwise it would be pretty trivial to weaponize the original demonstration, deploy an image to AWS or Google Cloud and read out all your neighbours’ secrets.
The success of the mitigations in rendering these attacks unworkable is literally the only reason people are under the mistaken impression that the cost of the mitigations isn’t worth it “because these attacks don’t happen”.