I think you're both right. There are side channel attacks against remote hosts (timing-based padding oracle attacks agains TLS come to mind). But for the case of PGP, which is mostly for encryption at-rest, attacks like this don't seem as relevant. I say seem as relevant, because crypto attacks can be surprising :)