For this type of attack to work, the algorithm being run needs to be very well understood, and the runtime of the algorithm needs to depend almost entirely on the secret key.
In contrast, the timing of virtually any email operation is not dependent on the contents of the email, other than the size. That is, whether you wrote "my password is hunter2" or "my password is passwor", the timing of any operation running on this email will be identical.
Perhaps those could be attacked. It's possible though that it's not feasible, that the possible inputs leading to a certain timing signature are just too many to get any data out of it.
Consider that those programs are not making any effort whatsoever to run in constant time, and yet no one has shown any timing attack against them. OpenSSL has taken great pains to have constant execution time, and yet subtle processor features like this still introduce enough time differences to recover the keys.
> It's possible though that it's not feasible, that the possible inputs leading to a certain timing signature are just too many to get any data out of it.
That's plausible, but a very different argument from the original, that read:
> In contrast, the timing of virtually any email operation is not dependent on the contents of the email, other than the size.
Check out https://www.qubes-os.org/ for an operating system that tries to put as many layers of defense as possible between an end user's applications.
Why only cryptographic applications? What if I'm writing a very sensitive e-mail, for instance?