Not sure how many people here care about SEV, Secure Encrypted Virtualization. (Personally I think it's a killer feature which I agree with Norrod should be considered standard soon.)
Anyway
Forrest Norrod stated the following aside in an interview:
"
The virtual machine is encrypted. So the virtual machine or container or even a process—actually the way that we've implemented it you can make it any one of those three—and it's independent. It's managed by a separate key manager in our security processor. So the systems administrator for the server does not control that key. The user of that VM running their workloads on Amazon [Web Services] can control that key, so all of their VMs work as normal, work full performance, there's no performance impact, but even if Amazon wanted to, they couldn't look into that virtual machine."
I didn't know this essentially works on a process level. This is great as this should allow to encrypt/isolate any process even without using VMs or containers.