No it's not. First, you need to be able to execute code on the target machine (at which point you don't need meltdown to do evil things).
Sceptre is specifically demonstrated to work in browsers, with Javascript. It can read the process memory outside the Javascript sandbox.
And plenty of people run code on their machines, assuming that the OS will do the correct thing and sandbox the kernel memory and memory of other processes properly.
Then, you need to make the exploit work. Here's a post from a guy who tried but couldn't. He's even quoted from the Google guys, so it's not just some random idiot.
Quite old post, on this timeline, and if I'm not mistaken, the things that actually work are an evolution of that design. He didn't get it, but someone else was able to.
Both attacks depend on the exact timing difference of very short intervals that are affected by a lot of other messy factors.
Yes, and the RDTSC instruction, which is unprivileged on x86, offers more than enough resolution to get you that data.
Finally, you need to know what you are looking for. One source said you can read about 1.5kB per second, so you can't just scan the entire system memory and hope there's a password.txt opened somewhere.
That's Sceptre. Meltdown gets you around 100kb/s without TSX, and north of 500kb/s with TSX support (admittedly not terribly relevant in the context of older systems that aren't getting updated, since working TSX is Broadwell and newer).
So when your bank account gets hacked in the next year or two, it's probably not because of meltdown or spectre, regardless of whether you updated your system or not.
*shrug* Ok. Run whatever you want. I don't care. However, I still think it's quite stupid to run non-updated hardware. And I do think we'll see both Sceptre and Meltdown in the wild. If we're not already. They don't exactly leave good logs behind, 'ya know?