That's one of the better explanations of Meltdown I've seen. If I'm reading it correctly, it gives a piece which I hadn't understood before: that the kernel data is, in some circumstances, mapped to an application's address space (i.e., it's at some address, such as 002f3A44), but the application's process has neither read nor write permission for that address. Speculative execution can read that address anyway, which should only allow the result into the processor's cache. Then (I'm still waving hands on this part) the application can somehow sneak a peak at the cache.