The AT&T Galaxy S4 has a locked bootloader

Yep, it's confirmed. The AT&T S4 authenticates the recovery and boot images before executing them.

I can't see what AT&T has to possibly gain from this. GSM and LTE aren't magical, tethering is controllable on the server side, and theft-of-services is not possible from the application processor side (or even from the modem side as far as I know). The same device is available on every carrier, so it's not an exclusivity issue either. The modem processor has always been locked, and the casual user doesn't want to mess with that part anyway. Samsung has always been developer-friendly, so I am guessing their hand was forced.

The only outcome I see here is stacks of bricked devices being sent back for warranty replacement due to the ease of causing a permanent boot failure, especially since the device is trivially rootable.

The arms race continues. News flash: MILLIONS of people run custom firmware (and I have the STATS to prove it). This is just a stupid move that will cost you customers and money.

I would not recommend buying this device on AT&T if you want to run CyanogenMod or another custom ROM, or if you are a developer and need to work with or debug the lower layers.