I am curious why desktop Chrome only supports L3 CDM, while android Chrome and ChromeOS can support L1 CDM.
Is there any possible reason for that??
Just to roughly guess, two possible reason could be to support Linux platform and for wide usage of Chrome?
1) I read someone saying that to use L1 CDM 'secure media path' has to be implemented in graphic pipe line and Linux doesn't have it implemented.
2) Desktop Chrome doesn't wanna be restricted by H/W requirements?
The simple answer is that it is because it does not meet all the security requirements for Widevine L1, as you guessed.
The more complex answer is that this domain is evolving all the time, and different devices and browser combinations need to be looked at separately at any given time. For example Chrome on Android now does support Widevine L1:
The usual blocker on a device/browser combination are the lack of a secure media path, and/or the lack of a hardware root of trust integrated into the solution.