For CPU bound work loads, pretty low, but not low enough that it's free (~5%).
For devices (especially latency sensitive workloads), it's quite bad. Device accesses have to be bounce-buffered. You can't do anything vaguely zero copy, since the device can't DMA to or from the VM. Future hardware support will mitigate that (mutually attested VM/Device interactions), but no real world devices support it yet.
I don't know the performance implications, but the brief description of the feature is that guest memory is encrypted with a key that the host doesn't know, so the host can't observe the contents of guest memory.
Microsoft Azure: https://community.amd.com/t5/epyc-processors/microsoft-azure...
Google Cloud: https://www.amd.com/content/dam/amd/en/documents/epyc-busine...