If it's open source and has a reproducible build, then you can audit the codebase, compute the hash, then verify an attestation from the secure enclave that the code is running in.
In the case of the above, you're not trusting the server, you're only trusting the CPU manufacturer. Attestation happens within the secure enclave inside the CPU, at which point having physical access to the machine doesn't (well, shouldn't, if it's correctly implemented) give you any insight into what code it's running or what data it's operating upon.
How can you know which CPU is running?
Also, the software could easily change the output of the security chip (secure enclave is only on apple devices).
Part of the attestation process involves receiving a cryptographic signature from the CPU vendor. They can only fake it if they break the cryptography. And enclaves (or "trusted execution environments") aren't only on Apple chips, AMD and Intel have their own implementations.