An enclave does not make any system calls directly like the rest of the process would, but a system call can definitely be made through the use of a shim layer. In SGX parlance, calls to the outside of the enclave are known as OCALLs. The danger with relying on values returned by a syscall is that the OS could be lying. As an exercise, you could implement a simple "hello, world" filesystem driver that hides the presence of certain files. So, as long as the enclave has no trusted path to I/O, it must rely on the operating system, which is assumed compromised. If the enclave decrypts protected content for the sake of having those be written to the display by the OS, then you can see that the contents are not secure. SGX support for PAVP means that the chipset is involved in shuttling the data into and out of the enclave, with no one being able to interject. Not sure TrustZone solves this.

Just came across this interesting article: https://arxiv.org/pdf/1701.01061