Spotify, like most legit streaming services, use Google Widevine DRM, and you don't reverse engineer it. At least not for the level that is required for this kind of content (L3). When you stream something in browser or device, the decryption module of that device is "talking" to the license server. If the identification goes through, the decryption keys are sent and the media gets played. So what you do is you extract that decryption module from a device, and then use scripts to send requests acting as that device, tricking the license server into sending you the decryption keys.
Once set up, and with the proper script, it can actually be even more efficient than other forms of piracy.
Use a VPN service with a proven track record to connect to a seedbox paid for with crypto, and download only from top-level private trackers. It's about as secure as you can get as a casual user.
In reality, though, a simple VPN is probably enough. Maybe not even that if you're in a country that doesn't give a shit.