I can run any kernel I wish on the device, but in order to run DRM:ed files, either applications or media, I will need to run a kernel signed by Nokia. That seems pretty fair and reasonable to me.
What I'm curious about, though, is what level of tinkering will I be able to do in future Maemo versions in the trusted mode? Will I still be able to get full root access, install Debian in a chroot, rip out proprietary apps I don't like and replace them with something open, etc.?
If that is indeed the plan, then Nokia should be congratulated for truly getting it.
Another thing I'm kind of curious about, when running in untrusted mode, is it still possible t make use of the TPM to get features like secure storage of file hashes?