I'm glad someone else is bring real life examples in, rather than just theory crafting. The one thing not mentioned is that you still log in with a unique ID and email address for both games outside of Steam too. The legitimacy of your account remains under the publishers control in both cases, not Steam's. And Steam didn't give us a "key" at all, what happened was you open up an already valid Shroud account via the owner's web page, and link it specifically to a specific Steam account, as shown on the link Astrobia gives.
Now sure, I could sign in and link my account to a friends Steam log in details instead, and they can install the game to their Steam account; except they still can't log in because they don't have an active E : D account that gets past the E : D launcher. They can go to the launcher and log in with your Frontier account I suppose... but then you can't play it at the same time. And you can already do that (in practice, if not legally maybe) by them downloading the client elsewhere, then you giving them your log in details. But if you wanted to play together, one of you has to still set up a second Frontier account and link it to a second Steam account.
DLC and all the other things involved are just flags on your account; indeed when I worked in the industry, the difference between my account and you the players was just toggles for certain commands in my client being "On" which you have "Off", and the server accepting them, as my Staff account was logged in the database as able to legitimately give them to the server. You could type "Spawn Cow" or whatever, but the client wouldn't show a response, and the server wouldn't accept it if you could somehow trick the client into sending it. The game client itself was identical however; I was just given a staff user name, and when entered into my previously Player only game, voila, cows everywhere if I wanted them.
So let's say Elite release DLC with Thargoid flyable ships. The software will just have a "Send check to Frontier server, can this player have that?" routine. And it'll check that against Frontiers database just like it does for hit box checks, market prices etc already. Steam won't have anything to do with that. If someone buys the DLC through Steam, you'll most likely just enter the key it gives in your account here, which will set the DLC flag for you to "On".
Incidentally, early MMO emulators were both client and server, which is how they got around those limitations. Nowadays, and I assume for E : D too, the server acts as both anti-piracy protection as well as gameplay hardware. Anyone complaining about Steam as DRM is experiencing exactly that through Frontier's own log in and server system. And missing out on enormous sales for the sake of a principle they've already compromised.
