The host can't touch the memory the enclave uses, and code being run is signed. Without the secret key, you can't fool anyone.

EDIT: Not...