An intruder doesn't need to be connected to your local network -- they just need to prompt you to open a link while you're connected to the same network as one of Google's affected devices. You also need to keep that link open for roughly a minute (the amount of time it takes to get a location), but that's not necessarily difficult if there's enough content to distract the target.

The fix is expected to arrive in mid-July. In the meantime, though, there's a risk this could be used to add seeming legitimacy to phishing and extortion campaigns. A scammer could target you by focusing on your exact address or neighborhood, for instance, while a blackmailer could find out where you live and use that as part of a threat to release private info. No matter what, this is a reminder that smart home gadgets still have a long way to go before they're truly secure. You have to assume that even mildly sensitive info transmitted in the clear can serve as an avenue for attack, and Google has learned that lesson the hard way.