EME itself does not prevent you from recording the content - it is not point of EME. EME just provides unified way to communicate with native DRM browser component (called Content Decryption module - aka CDM). That interface allows you to:
- Check what decryption keys are loaded in CDM
- Create a CDM specific request for decryption keys for license server
- Push a response from license server to extract new decryption keys in CDM
- Check what restrictions are associated with decryption keys (eg. HDCP requirement)
All the decryption is done internally - now the meaning of internally is very dependent on what content you are playing and on what platform.
From the commercial content perspective, there is usually different value of content per resolution:
- SD - usually SW DRM and there may be no output protection at all
- HD / FHD - usually SW DRM and HDCP 1.x+ is fine - analog output should not be possible
- UHD (4k) - HW DRM (includes Secure processor and Secure Video Path), HDCP 2.2+ is a must (unless Netflix reduces protection for their own content)
Only very few desktop PCs these days provide security for UHD content. It requires combination of OS and CPU to deliver HW security (you should get that in Edge on Windows 10 with the latest generation of processors). That is in contrast to ARMs where this is standard for many years (and it generally allowed 4k streaming on TVs).
There is also different value of content during consumption:
- Encrypted compressed content - no value. That content is publicly available on CDN and it is what you download when you stream it. Without decryption key, the content is useless.
- Decrypted compressed content - high value. This represents encoded samples of video or audio after decryption. This content is considered high value because it has original encoding from the streaming service. It is also high value because encoding makes it relatively small. When HW DRM is involved, this content is never exposed to memory you could address.
- Decrypted decompressed content - lower value. This represents individual frames coming from decoder. The original encoding is gone. Storing each frame would require a lot of space so the only option is to re-encode it which will have worse quality than the original encode. When secure video path is involved, you again don't have access to memory where these frames are held.
One thing which is good to point is that lot of DRM protection is about making sure regular users can't just record content. Once you start talking about using special drivers, recompile kernel with modifications or whatever else, you are no longer regular user.
I'm not sure how exactly Google enables Widevine on Linux distros but it does not work on every single distro you choose. Google must kind of "enable" the distro to be supported first. It could be that some driver signature validation is done as well before Widevine is happy to work on the platform - just guessing.
Apart from that:
Why should you not be able to record sound?
You can - audio output is not protected at all.
Why should you not be able to record video?
If you manage to do that, you are working with Decrypted decompressed content I mentioned before. There has been other easier ways to get this content for years and it didn't stop streaming services.
