started with Armv9 (2021), ARM Confidential Compute Architecture (CCA) extends the Arm architecture by a new Trusted Execution Environment called realm. A realm is dynamically managed by untrusted software, but preserves the confidentiality and integrity of its contents through a combination of hardware and software mechanisms. memory can be encrypted but it is not default. TLDR you can run code in realm that are isolated from the rest of the system^[1]

- GCS is an architecture feature intended to provide greater protection against Return-oriented programming (ROP) attacks and to simplify the implementation of features that need to collect stack traces such as profiling. ^[2]

- When GCS is active a secondary stack called the Guarded Control Stack is maintained, protected with a memory attribute which means that it can only be written with specific GCS operations. ^[3]