Yeah. With blurays, you can always extract the device key out of some Bluray player. It's an extremely poor user experience for bluray consumers to have their devices stop working for new movies, so my impression is these keys aren't blacklisted all that quickly. For the streaming sites, I have no idea. But, yeah, the cleartext bits need to get in front of the user eventually.
BluRay has two security systems. One is based on key revocation (AACS) and one is based on embedding programs written by companies contracted by the movie studios which do dynamic detection of rippers. AACS failed almost immediately because indeed, keys leaked faster than they could be revoked. BD+ proved much harder, at least in the early years. But it was only ever designed to last about 10 years according even to the sales pitch of the designers and it's older than that now, so I wouldn't expect it to be all that effective anymore especially since Intel pulled SGX from their client chips.
