It isn't, it's just an open source library to talk to the closed source Widevine plugin included with Chrome, or, in this case with keys illicitly obtained from a broken Google plugin that they haven't revoked yet.

There were some open source white box cryptography attempts fifteen or so years ago and they didn't work because of precisely what you say.