One of SGX’s basic ideas is to remove the cloud provider from the root of trust.
If the enclave is encrypted & therefore decrypted only after a successful remote certification, the cloud provider has no way to access the secret code inside the enclave.
However, the elimination of this basic functionality of SGX could mitigate malicious enclaves in practice, because the binary or source code of the enclave could be read by the cloud provider & analyzed for malicious activities.