The whole feature is advertised as something hypervisor operators can use to show customers that their data and code is safe from interference by these operators. Basically, it's about separating physical access to the hardware from access to the computation that occurs on the hardware, and the data that is processed there. This means that such attacks are relevant for once.
I have my doubts whether this can ever work reliably. It seems risky to bet a lot of infrastructure investment on the fact that attacks like this one (or even better ones) do not happen. But the entire hypervisor business has the same structural problem (a bad CPU bug like the T-Head C910 vector issue could turn your hypervisor fleet into very expensive single-tenant machines over night), and yet here we are …
I have my doubts whether this can ever work reliably. It seems risky to bet a lot of infrastructure investment on the fact that attacks like this one (or even better ones) do not happen. But the entire hypervisor business has the same structural problem (a bad CPU bug like the T-Head C910 vector issue could turn your hypervisor fleet into very expensive single-tenant machines over night), and yet here we are …