Comment by benlivengood

All cloud services are in a similar position; they hold the private TLS keys and could reveal them in response to legal process, allowing active MITM (perfect forward secrecy prevents passive data theft without more intrusive realtime access to VM RAM).

Only a very specific configuration of "Confidential Computing" (based on AMD SEV or Intel TDX) where boot attestation is checked remotely before private keys are sent from an on-premise store (or a fully trusted hosted HSM) to the remote VM could prevent a cloud provider from intercepting private key material, and only then as far as boot attestation and SEV/TDX is trusted.