L1 - all content processing and cryptography operations are handled inside a CPU that supports a Trusted Execution Environment (TEE).
L2 - only cryptography operations are handled inside a TEE.
L3 - content processing and cryptography operations are (intentionally) handled outside of a TEE, or the device doesn't support a TEE.
This suggests that the media industry only trust you to receive their content if they have some degree of control over what your device is doing. There's an obvious logic to them setting such a requirement, but it does mean rolling out a world wide system where critical security components underpinning our digital societies are resistant to inspection and transparency, by design (and, in many cases, with the full force of the law).
I feel that ultimately this will create a precarious situation and introduce risks that are not justified.
Fun sci-fi exercise: what happens when you mandate legal backdoors for general-purpose crypto, but lock down content so tight that it's NSA-resistant?
Unfortunately I can also imagine that the NSA give themselves backdoors that can even get past the legally-mandated DRM, and the media industries would accept this.