Maybe I don't understand what you mean by "replay attack" in this context, but the secure enclave does in fact provide protection against brute forcing passcodes. It is detailed in Apple's security whitepaper (see p12). Basically, you have to give the passcode to the secure enclave to get the data decryption key which is derived from the device-specific key contained therein. And the enclave enforces time delays between wrong guesses.
If you can envision a procedure for hacking around this I would love to hear it.
If you can envision a procedure for hacking around this I would love to hear it.