The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to gain privileges via a crafted application that leverages QSEECOM access, aka internal bug 24446875.
then it's not strictly TrustZone that have been cracked, but some software running within, already patched. TrustZone itself is a hardware mechanism, basically a new level above the usual user/kernel modes.
But sure, this hack reportedly gave possibility to run arbitrary code as "trusted" and mess up any other software running on the CPU, trusted or not.
I don't know what those keys were and whether they were indeed "Qualcomm private" or per-device or something else. Google quite uselessly returns only news about this hack.