Even if the database is moved into the enclave, it requires persistent storage. All keys for the enclave and other persistent state are provided outside the enclave, which opens it up to risks. And unless *you* are asked each time to share your key with a new enclave firmware, and on each restart or redeploy of their production servers, then the keys are coming from somewhere else that can disclose them.