Remote Attestation Attack on AMD SEV-SNP CVM in Azure

Following the 1st scenario ("request in separate workload") on this page ( https://learn.microsoft.com/en-us/azure/confidential-computing/guest-attestation-confidential-vms ), after step 2, is it not possible for a malicious guest OS to replace a valid attestation report with another attestation report (from a SEV machine with a good OS) to mask its presence from a relying party? How is this mitigated?