To add to this ^ imagine that your enclave is computing a wrong result and then signing this result along with an attestation that it ran the correct code.
This could be fine if the computation first goes through a consensus mechanism that tolerates faults, but could be devastating otherwise.
Processor vendors have been trying to tell us that they can protect parts of the CPU from its user. Intels version of that is called SGX.
There are very few good use cases of this. Also it doesn't really work.
But there are gazillion ways to attack it, so plenty of papers can be written about it.