"The Act explicitly has provisions for challenging the warrants"
Sure - but who could challenge the warrants, and who decides? In both cases is the US company and a US judge. The foreign country may not even be notified. A warrant has to be explicitly challenged by the US company asked to produced the data, if it doesn't and simply comply there is no way for a non-US entity to challenge it.
The judge has to take into account first: "“(A) the interests of the United States, including the investigative interests of the governmental entity seeking to require the disclosure;"
Moreover the foreign country has to be "qualified" - basically forced into an agreement with the US about data exchange, and a very asymmetric one. Otherwise no protection is afforded.
The whole law was built because MS refused to hand emails from Ireland until it had its butts fully covered by the law.
It's law enforcement the US way - thinking that outside US "hic sunt leones" and they are all primitive countries - but it's exactly US law that is becoming very primitive. The CLOUD Act is not different from possible Huawei trojan horses - any US company becomes a trojan horse.
While is true that espionage may access that data as well, there is the basic difference that espionage is illegal - and any US company that helps it is committing a crime.
The CLOUD Act instead try to assert a legal right for US law enforcement agencies to access non US data, and US companies try to assert they are only law-abiding entities.