Except that the security model on the server side is broken as there is no way for Intel to know that a key is compromised and thus revoke it; at least for the DRM use-case sharing cracked keys on forums is common. Why would an attacker ever share keys in the tenant/host case? Moreover, is there some reason to believe that Amazon, Google, or Microsoft would struggle to extract a key if they are indeed malicious? Is there a good reason to believe that Intel would never just give keys to certain government agencies when asked? If you are worried about a malicious host, SGX/etc. are at best a partial, very limited solution even if all you care about is integrity/attestation.
SGX and TEEs generally are and always were a DRM solution, with the server use-case mostly being an afterthought that the marketing teams pushed hard. They also create a fantastic forced-obsolescence program as they require active support on the part of chip makers throughout an application's lifecycle; Intel can arbitrarily deprecate otherwise functional CPUs by just not revoking compromised keys (and perhaps releasing a few into the wild just to force people to upgrade).
SGX and TEEs generally are and always were a DRM solution, with the server use-case mostly being an afterthought that the marketing teams pushed hard. They also create a fantastic forced-obsolescence program as they require active support on the part of chip makers throughout an application's lifecycle; Intel can arbitrarily deprecate otherwise functional CPUs by just not revoking compromised keys (and perhaps releasing a few into the wild just to force people to upgrade).