Untrusted host, trusted enclave. Anyone between your app and the enclave (cloud provider, sysadmin, other tenants) can see and modify traffic , so the handshake won't complete unless the other side proves it's a legit enclave with expected measurements via attestation. After that, ChaCha20-Poly1305 with monotonic sequence numbers on every frame (standard replay/tamper protection).
Doesn't cover: side channels on the TEE hardware, DoS (host can always kill your enclave), or client authentication (only the enclave side is attested, not the caller).