Supply chain is still an issue in sovereign clouds. At some point there's still a trust decision, whether that's to trust the cloud provider, the hardware manufacturer, the chip manufacturer, etc.

For organisations with the resources to deal with an APT, great lengths are gone to in order to verify that the supply chain is trusted all the way down to the chip manufacturer. The hardware used isn't just bought from Best Buy and given a huge dose of trust, but instead there are with many many steps to verify that the eg the hard drives are using the expected firmware version. You spend as much as you can on the whole process, but if your threat model includes the CIA, China, and the FSB, it's exceeding expensive.

I wish that were true but it's really not. At least not within the public sector, maybe wealthier private firms can afford to do that level of verification.

Anyway, even then you still need to make trust decisions. How do you verify the ICs in your HDD haven't been tampered with? How do you know the firmware wasn't built with a malicious compiler? Or that a bad actor didn't add a backdoor to the firmware? Realistically there's a lot of components in modern computers that we have no choice but to trust.