I've known plenty of developers whose automatic response to `packagemanager install packagename` failing is `sudo packagemanager install packagename`.

I sincerely hope all modern package managers, when invoked with sudo, immediately spawn a very-low-privilege process that does most of the work sandboxed to /tmp/whatnot, and the root process just copies files to the right place and runs some system calls to update databases etc.

Most package managers I know support Turing complete install hooks. How would a package manager detect what parts of those require/are safe to run with root?

No. Packages would not need to be installed as root. Additionally, many possible ways to use the exploit in GP could run as unprivileged users.

Wouldn't the package need to be executed as root, though? Or does spectre/meltdown not require privileged access?

No, that's the entire point. They need almost nothing at all but the ability to run code fast in a loop with memory calls. The entire point is that they bypass privilege checks.