I don't know if i use this framework correctly.but i think this problem really confused me.
such as an example: examples/application/simple-average/run-remote.sh

firstly, i comment out the last line:

secondly, i run run-remote.sh,

thirdly,I use pycharm debug 'run.py',

and then i can see all secret shares of input's element,

obviously,i can reconstruct the input according ot the secret shares,and it is not secure.
I wander if i didn't use it correctly,could you please solve this confusion?thanks!

I think some party should know only a part of secret shares or nothing,and no party can know all secret shares.
but May be i don't understand the design principle of tf-encrypted

You are right, some party should know only a part of secret shares or nothing. Unfortunately, there is no access control in tf-encrypted, and mainly because tensorflow doesn't have one. You could see share0 and share1 are on different devices, but the master device(process run run.py) still can access them, there is no access control. We don't have a solution for this problem without modifying source code of tensorflow until now, so we suggest not to use tf-encrypted for production purpose.

OK,Thanks for your answer!