I have a basic question about syscall and ocall.
As I know, system call is prohibited inside the enclave since the operating system is untrusted.
But the developers still can define (insecure) ocall interface, then anyhow system call can be used (indirectly).
My question is, what is the difference, in terms of security, between (1) calling the system call directly inside the enclave and (2) calling ocall function that indirectly calls system call??
The both seems equally insecure to me. What am I missing?