I just watched the recorded stream about SGX and I came up with two ways to bypass SGX that were not mentioned.
Everywhere below read "code" as "binary code", not "source code"
First is a software technique: if SGX does not control the stack of the program, we can inspect the stack or trap stack modifications to obtain the locations of function end/start positions and "execute" arbitrary code using "return-oriented programming".
You can read about return-oriented programming in length from this pdf: https://cseweb.ucsd.edu/~hovav/dist/rop.pdf, but I will describe the technique in a few words:
if you control the stack, you can set a return pointer to an arbitrary position in the program, which, in general, leads to arbitrary code execution from within the program space. Instructions may be read starting from different locations and may completely change the meaning of the code. This may be hard, but not impossible if the program code is not known.
The second one is in the hardware, but it is much cheaper than reversing a CPU:
An expensive beefy unbreakable Intel CPU decrypted the secret program code and put it into a cheap RAM module. Since RAM is much easier to produce and "hack", we can read the program code from physical RAM, or inject arbitrary code directly into the physical RAM. Of course, this won't work if SGX decrypts and encrypts memory on the fly which is ridiculously expensive computing-wise.