Or spun differently, _I_ can run private, trusted code on an adversarial, remote EC2 instance without compromising my privacy and preventing the adversary (Amazon) from tampering with my secure execution.

At least in theory. IIRC, a number of side channel attacks are exploitable on Intel SGX, so the adversary could leak secrets but not tamper with execution.