On Windows, there is a Secure Audio Path API to prevent interception of the audio signal. Not sure if macOS has something similar, though it can prevent screenshotting of DRMed video. On Linux, any such protection is probably impossible unless Spotify requires a kernel module.
Note that the audio quality on Spotify is not very high (256kbps .ogg, I think), so anything thus recorded is going to sound lossy, especially after you recompress it a second time.
If you’re paranoid, you can convert the FLACs to WAV on an isolated computer (or VM), copy them and recompress them to FLAC or other formats. If there is a vulnerability in FLAC, it won’t persist through transcoding.
Recording Spotify to your DAW, can this get your account banned?
Does Spotify have a way to see if your computer is recording with your DAC’s stereo mix? And if so, is there a way around it?
I may have downloaded music from 1337xx.to . is there anything to worry about?
1337xx.to, not the real site. I only downloaded .flacs