TEEs feel like the right foundation here — you can't have agents worth trusting if the operator has a read on every query. The threat model shifts from "trust the company's privacy policy" to "trust the math," which is a meaningful upgrade. Curious what model families you're running inside the enclave, and how the latency overhead compares to non-confidential compute at the same tier. That tradeoff is the thing that'll determine how widely this gets adopted.