Both Confidential and Private Compute are about "provably locking observers out", but for different observers.

Verifiably Private Compute says "The author of this service has locked themselves out from peeking inside, and as a user you can verify that externally."

Authors can use tools like remote attestation to make this claim, attested to by the cloud host.

It allows users to trust that a cloud service is not, for example, logging their behavior.

This is what Apple has done with Private Cloud Compute.

Confidential Compute says "the host of this service cannot peek inside, and as a user you can verify that externally".

Host here means the cloud provider, e.g. AWS, GCP, Azure.

Confidential Compute uses hardware support in off-the-shelf chips to ensure that the VM is encrypted in memory.

This means that the host can't peek inside running VMs.

Confidential Compute does not say, by default, that the author of the service isn't peeking.

However, Confidential Computing can make claims of being Verifiably Private stronger.

For example, remote attestation claims from Confidential Compute instances are attested to by the hardware root of trust, instead of by the cloud host's software layer.

Apple did not use Confidential Compute for Private Cloud Compute.

Private and Confidential Compute are both useful claims and they are complements.

The gold standard is both private and confidential; both guarantees of "can't be peeked inside".

Confidential Compute has been a slow and steady sea change, but mostly for specialized B2B applications (e.g. defense contractors).

Apple's Private Computing is the first time that consumers have been told they can and should expect a higher standard of privacy for cloud computing.

The shift to private+confidential computing in the cloud seems inevitable!

This shift will be extremely hard for incumbents to successfully retrofit to their existing technical architectures and business models.