This doesn't appear to he exclusively anti-evil maid. It takes "build an AMI that doesn't have enough userland to extract the keys" and extends it to "only approved AMI's can access the keys."

Lateral movement of attackers. Shadow IT. People modifying things between test and Prod.

All easy examples that don't require you to trust AWS hasn't backdoored it to still get better security.