The browser thing is paranoia. Show me a single working example of a working exploitation of any of these vulnerabilities from inside a browser and I'll happily turn mitigations back on. Until then they stay off.

Skylake + Downfall = Henny Penny!

Ah, maybe this is why I found an Xeon E3-1230-v5 on Ebay for a fairly low price, low enough to think it's a great upgrade for the Pentium G4400 even if I don't actually need the extra performance. After swapping the CPUs, I was a bit puzzled about why I don't seem to have AVX at all and why the kernel log suggested disabling HyperThreading altogether even though these CPUs use the same microcode update file and that's kept up-to-date on my system. There won't be any more microcode updates and AVX won't be fixed.

However, I am still a bit puzzled because Intel's page on the subject cites AVX2 and AVX-512 but not AVX1. So why does the kernel disable AVX1 as well? Is AVX1 really affected? Or are there any other practical reasons (like these can't be easily disabled selectively)?

At any rate, I read the help text for this mitigation in menuconfig and it suggests this mitigation to be disabled ("if you are not sure" what to pick there). So I unticked it for now (but I didn't reboot the machine yet).
But I guess it will be very inconvenient to re-enable this mitigation later if I recompile everything with march=native and "avx avx2" CFLAGS in Gentoo's make.conf (turning this will disable AVX 1-2 and potentially leave some software un-executable...).

So, how serious is this for a headless machine acting as a NAS and a router for my home LAN and also running a few services connected to the WAN (like the Deluge torrent client)? Should I enable this mitigation or not...?