For the concern of making tags harder to clone: Cheap contactless tags usually don’t support asymmetric cryptography (not even ECC), so this would significantly increase the BOM.
If the tags only carry the keys as storage media instead of using them for authentication, all cloning considerations apply again.
For not allowing playback of user files, this would be doable since the SoC is presumably freely programmable, but now you’re facing another problem:
Do you use one global key (then only one compromised projector is enough to break the entire system and the economics), or do you use a per-device key, which requires installing these keys at manufacturing time and individually recording each SD card?
Real-world defense is really not as trivial as the armchair security blogger perspective suggests.
Of course... I'm just talking about raising the bar enough so that it would take a bit more than some casual observations to crack. Per my final statement in GP comment.
> In the end, it was probably as much about satisfying the content rights holders as anything else. If it looks like a lock, it doesn't matter if you can cut it off with scissors.
Most locks get broken eventually... the locks on houses, for example, rarely actually secure the home from intrusion... you have windows that are easy to break and enter/exit. It's about adding a modest effort in order to deter such action... nothing will ever stop it altogether. There's a difference between minimal effort, best appropriate effort, creating Fort Knox around your content and doing nothing at all.