They are using V8 isolates, so spectre-like timing attacks are a legitimate concern. See https://leaky.page/ for an example.

Their explanation:

"the time value returned is not the current time. Date.now() returns the time of the last I/O. It does not advance during code execution"

https://developers.cloudflare.com/workers/learning/security-...