So is that really all there is to it? Not allowing scripting to run when you surf the web?
Pretty much (and the usual good practices; keeping your system updated, not running random email attachments etc.). The real nasty side of Meltdown was on shared hosting (AWS, Azure, etc), where as a guest you don't know who else might be hosted on the same physical hardware able to run the exploit.