First thing to note is that SSMS has rewritten the query as a parameterized statement. The literal, used to initialize the
@SSNvariable in the original query, is being passed inside a parameter, with an auto-generated name (@pdf9f37d6e63c46879555e4ba44741aa6). This allows the .NET Framework Data Provider for SQL Server to automatically detect that the parameter needs to be encrypted. The driver achieves that by calling sp_describe_parameter_encryption that prompts SQL Server to analyze the query statement and determine which parameters should be encrypted and how. Then, the driver, transparently encrypts the parameter value, before submitting the query to SQL Server for execution via sp_executesql. SQL Server can now successfully execute the query.
Read the whole thing. Setting this up does obviate part of a benefit to using Always Encrypted: the ability completely to lock out a database administrator from certain pieces of data.