The reason can be found here:
There is an important difference between an empty and a nonexistent DACL. When a DACL is empty, it contains no access control entries (ACEs); therefore, no access rights are explicitly granted. As a result, access to the object is implicitly denied.
When an object has no DACL (when the pDacl parameter is NULL), no protection is assigned to the object, and all access requests are granted.
You're passing a null pDacl, so you're making the pipe accessible to everyone.