Essentially you're trying to provide a way to prove that the code running on the machine is what you instructed. This is achieved by a series of hardware attestations that measure and check the code to make sure it's what you requested. Generally this means encrypted ram at a minimum, and checks/balances that give you confidence this is the case (you have to trust someone, eg: Intel)

Is it perfect, probably not, but it's a lot better than just running VMs with unencrypted memory that any operator can jump into.

To my understanding most GPU workloads are not run in this way currently, and the operator can see/manipulate everything executed