How do they avoid enabling rampart piracy if you can do that to consumer units?

It doesn't allow it to run a ripped game like Halo 5. Any "real" game that needs full access to the Xbox hardware needs to be signed or tested on a proper dev unit. The 'dev mode on consumer consoles' is something for indies and such to test their UWP apps on. If someone happens to have the source code and project files to your UWP app then sure they could "pirate" it but I am not aware of that ever happening.

