This is all from research done by people smarter than me; not much has been published unfortunately. A good starting point for thinking about exclaves is by looking at ARM Realms or how pKVM is designed in Android.
If the "Secure Exclave" is a privileged VM (alongside iPadOS VM) on a minimal bare-metal hypervisor, does that open the door to unprivileged Linux or other user VMs safely running alongside iPadOS on iPad Pro?