It's not a valid concern in this context, however, because an attacker attempting to bruteforce it can simply code the more efficient comparison and use it.
Timing attacks are a concern on network applications or when considering a block-box type attack.
Don't they also generally depend on the attacker either having access to a steady stream of crypto-events, or being able to cause them? i.e. you either watch a loaded system doing encryption, or create some load and time it yourself.
Neither of which would be relevant to an offline file format.
It's not a valid concern in this context, however, because an attacker attempting to bruteforce it can simply code the more efficient comparison and use it.
Timing attacks are a concern on network applications or when considering a block-box type attack.