@awkonecki, thanks for the comment.
TEE Client library, TEE drivers and TEE-OS protect the TEE Client Application context in Non-Secure World. The context, including the resource, will be isolated and managed by TEE Client library, TEE drivers and TEE-OS.
If there is any further question, please feel free to let me know.