It looks like they have disabled most of the API commands that would have been problematic. I don’t know if this is permanent or not.
In the past, the API keys allowed you to transfer domains - so a compromise could result in losing control of the domain to a malicious actor.
Anyone using DreamHost as a registrar likely uses them for other services though - their domain pricing is not good. All domains and services on the account would be at risk, including databases and hosted websites.