One advantage of SGX over Bastion is its reduced trusted computing base: the trusted hardware can still protect secure enclave even when the hypervisor is compromised although compromising the hypervisor could be significantly more difficult than attacking the OS, since hypervisors are orders of magnitude smaller than a typical full-feature OS.