If the attacker has ring 0 outside a VM, don't they have full access to the memory and execution state anyway?

On AMD server CPUs, the administrator of the cloud/datacenter is supposed to not have access to the encrypted memory used by customers' VMs.

This vulnerability breaks this assumption.

"This vulnerability allows a local administrator (ring 0 from outside a VM) to load clean microcode patches free of the vendor's malicious features."