Trusted execution environments (TEE): hardware fences off data in use — but the root of trust is the chip vendor, and side channels remain
In one sentence the root of trust is the chip vendor (you trust Intel / AMD / NVIDIA's keys and implementation), and TEEs have been repeatedly broken by microarchitectural side channels (the Foreshadow family). It's the load-bearing wall for Volume 5's "confidential inference," so Volume 1 spells out up front what it does and doesn't guarantee.