Hi Jonathan,
Your tests still don't really show intended behaviour. Your calls that set security descriptor use new SD that has the same tested values as before the call, then what's the point in setting it? Anyway, I cleaned it up and changed a bit to see how it's really supposed to work. See the attachment.
It looks like client and served should indeed share security descriptor, but pipe object should not, so that part is wrong.
Thanks, Jacek