Update: Our pal Dan at PC Gamer points out that while he thought it was goofy to have the DRM on the demo too, it turns out that they pretty much always do this -- if they don't, pirates can use the unprotected exe to figure out what the difference between the demo and retail exe is, and that makes it easier to hack out.
Update 2: 2K has a statement up about BioShock's DRM. According to them, SecuROM isn't an actual rootkit, it's just hiding some registry keys on your system. Gaming Bob, who originated this story, has also retracted his analysis of the DRM as being a rootkit, and posted up some easier instructions for removing the SecuROM service, so it looks like it's indeed safe to come out and play.
[Via Fergie's Tech Blog; thanks Nfinity]