Obviously the remote code could send the data to whatever three letter agency the operator wants, so the remote operator need to publish the server's code. But how do you prove that the remote operator is running the code they claim they are?
That's what SGX does, it lets remote systems provide a cryptographic proof that they are running certain code. Including the ability to have a private key protected by the SGX, so you can public key encrypt your data, send it to the remote server, and know that only the code they've already published is processing your data.
But presumably now the SGX root key is published, anyone can still do all of the above, but in a simulated machine rather than on legit intel hardware, which means they see everything that SGX is supposed to hide from them.
The theory is that when you send your contact list to the service, the service can prove to you that it's running a specified set-intersection application (and nothing else!) in the environment that will have access to that data, using this attestation mechanism.
If it modified the application to make it log or leak your data somehow, it could no longer pass that attestation step.
This should work as long as there is no hardware or side channel attack that lets the service operator (or someone it rents hardware from) defeat the SGX security guarantees, as long as there's no backdoor in the enclave implementation, and as long as the signing keys are not leaked or extracted, and are only used in accordance with the published policies.
I'm genuinely unclear. How exactly does a user accomplish this? What role does SGX play in this?