Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM. Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg...
The analogue hole will always exist, but the quality is poor after recompression. Maybe I just have high standards, but I'd never watch anything that's been re-encoded.