This still excludes wide ranges of possible rogue admin attacks.

As a minimum, it takes shutting down and powering down the physical machine, then starting it up, which would not go unnoticed in highly controlled environment where SEV makes most sense.

One potential use of SEV is to provide a secure environment to run a VM at an untrusted provider. That provider could do lots of things with funky motherboards and forced migrations without notice by their clients.

If it's an insider attack on company owner and operated hardware, there's always some reason to have a long downtime, and you can piggyback on that to attack the CPUs... Or just put it in a new system and use the migration setup.

Suggested downtimes, organic or sabotage up to attacker's timeline:

HVAC failure: have to shut down many/most/all servers to manage temperatures until HVAC techs can fix.

Automatic transfer switch failure: these things love to fail at the same time as a utility failure, and aren't always easy to bypass.

it does mean though that a system integrator could extract the keys ahead of time, likely without any way to know this has happened. adding a way to generate a new key or otherwise rotate the key material should fix that issue though.