First of all, you could probably do a timing attack on CORS response, you'd just have to deal with how much they're cached.
Depends on the resource request. For example, <img> can be used to load remote resources without CORS, since the image data isn't shared with JS (trying to read it via a canvas marks it "tainted", and errors read requests). Meltdown/Spectre breaks this barrier down, which led to the introduction of COOP/COEP headers that require CORS on remote requests and would break this attack—except that you can ask the browser to send requests without cookies, re-introducing this timing attack.
Depends on the resource request. For example, <img> can be used to load remote resources without CORS, since the image data isn't shared with JS (trying to read it via a canvas marks it "tainted", and errors read requests). Meltdown/Spectre breaks this barrier down, which led to the introduction of COOP/COEP headers that require CORS on remote requests and would break this attack—except that you can ask the browser to send requests without cookies, re-introducing this timing attack.