If I'm reading this right, the caveat is that the exploit only lets you read registers that have been saved for context-switching.

So, in order to extract data, that data must be in constant active use (i.e. loaded in a register) at the time of the attack.

It claims to also allow you to read any data loaded into a vector register, any data loaded from a {rep mov} (i.e. memcpy), any data used by crypto acceleration, and a bunch more. Basically, the only data it does not let you read is regular loads into the regular GPRs (i.e. what would be a register load in a RISC architecture) though if you save/restore during context switches using the special instructions you will leak the values at the time of the context switch.

This is about as close to a total cross-process data leak as can be imagined.

Would environmental variables be something that shows up in context-switching?

In general, not really, but the most common string comparison instruction in x86_64 leaves the last character of one of the strings being compared with the other one just being a pointer into the C-style string.

Typically not, but only because they are not typically accessed frequently.

I think you're asking this question because you're wondering if a container that uses environment variables for its configs would show up in this and I think the answer would be no because it's an operating system service that supplies the answers for the values, but every developer on Earth copies the values into variables where there is going to be a pointer put on a register at some point which then would make it vulnerable