In confidential computing, the view of the system software is Manichean: the host operating system is untrusted and the TEE runtime system is fully trusted. However, the runtime system is often as complex as a full operating system, and thus is not free from bugs and exploitable vulnerabilities. Yet, it executes with complete system-level control over the enclave application, in violation of the least privilege principle. While the confidential computing research community has been striving to secure trusted software from its untrusted counterpart, efforts fall short when it comes to securing the enclave application from potentially bug-prone and vulnerable trusted runtime systems. This project describes the design of a simple RISC-V extension that prevents trusted runtime systems from accessing the enclave application's memory. We implement the hardware extension in the QEMU functional simulator and extend the Keystone TEE framework and its runtime system, Eyrie, to enforce the least privilege principle, support unmodified enclave applications, and prevent a class of Iago attacks that leverage the runtime system's unrestricted access to the enclave application's memory.