The premise of attestation is supposed to be that you can use hardware even though it's in the physical possession of someone you don't trust. It's a terrible idea, because vulnerabilities are found on a regular basis and the party you're not supposed to be trusting is then already in possession of your sensitive data when the next one is published. The premise should be abandoned and the parties attempting to get anyone to rely on it should be lampooned and run out of town.

Not having a multi-tenant system is something else. There you're trying to be protected from other customers, not the provider. Excluding other tenants still wouldn't protect you against the provider, especially on systems with proprietary and potentially exploitable ring -1 hardware they could already be silently in control of even when the entire machine is allocated to you.

Meanwhile for anything on the scale of an organization, having physical possession of the machine yourself isn't that expensive. People got hoodwinked when virtualization first came around because they compared the cost of having a mostly-idle physical server for each of their applications to having that many cloud VMs, and the cloud VMs were cheaper, but that isn't the right comparison. You don't compare having 100 physical machines to having 100 VMs, even if people used to use 100 physical machines for that in 2005. You compare it to having three physical machines that can each run 100 VMs, and then having physical possession of your own hardware is frequently less expensive.

It's actually several times cheaper to rent a whole physical machine than to rent a single Amazon VM of equivalent compute power.

With sufficiently defined lease contracts it should be possible to price out the used machine risk from a new machine... Hmm

A lot more expensive and this is required for any classified data. I honestly don't think you can truly securely share a CPU with a hostile tenant because their are just too many side-channels.