Imagine it being capable of enforcing something like which executables you are able to load... Quite in the vein of Apple sending the executables hash to some random server
Another commenter familiar with the tech said: Pluton can securely track what software was booted on the main core (called "measure boot") and it basically sends a hash of that to the cloud to prove to the cloud what software is currently running.
That sounds like most of what you need to build a system that can enforce what executables you're allowed to load and prevent you from attaching a debugger.
Pluton can securely track what software was booted on the main core as long as the previous component in the boot chain participates. If your OS doesn't participate, you don't get any measurements beyond that point. And that means there's no way for Pluton to block execution.
You omitted the context there: the poster was talking about Azure Sphere - IoT devices that use Pluton for verification with remote services.
That's a different use case (chip-to-cloud). It can also not prevent you from attaching a debugger when all you need to do is to go offline.
In fact, the whole point is that you can run anything without compromising the security of the data in the secure enclave. That's what Zero-Trust is all about.
Isn't Microsoft already doing that on a default Windows installation?
Edit: Yes, SmartScreen, enabled by default, seems to send:
Hash, name and signature for executables. (Also hashes of urls you visit (though I guess only in Edge?))