I know that its encrypted. But with the exploit in 1.0.0 you can basically have trustzone fetch the key for you without needing to know it. So you wouldn't technically need the key to decrypt the game with that exploit if I understand correctly. This is info coming from the 34c3 talk
The trustzone can't fetch something it doesn't have. The point of having this safeguard is that they can contain the potential for game piracy if their system is compromised.
3.0.0 was compromised so they changed to a new one starting with 3.0.1, when/if that's cracked they'll just do it again and we're then limited to piracy for at most that version.