They could have easily crammed the Steam Deck full of stuff to make it hard to use for piracy - locking down everything, making it usable only to play games you legitimately own, force you to go through who knows what hoops in order to play games on it. That's what Nintendo or Apple or most other companies do.
But they didn't, because they realized they didn't have to. It's 100% possible to put pirated games on the Steam Deck - in fact, it's as easy as it could reasonably be. You copy it over, you wire it up to Steam, if it's a non-Linux game you set it up with Proton or whatever else you want to use to run it, bam. You can now run it in Steam just as easily as a normal Steam game (usually.) If you want something similar to cloud saves you can even set up SyncThing for that.
But all of that is a lot of work, and after all that you still don't have automatic updates, and some games won't run this way for one reason or another even though they'll run if you own them (usually, I assume, because of Steam Deck specific tweaks or install stuff that are only used when you're running them on the Deck via the normal method.) Some of this you can work around but it's even more hoops.
Whereas if you own a game it's just push a button and play. They made legitimately owning a game more convenient than piracy, and they did it without relying on DRM or anything that restricts or annoys legitimate users at all - even if a game has a DRM-free GOG version, owning it on Steam will still make it easier to play on the Steam Deck.
It's built on Linux. Specifically Arch Linux. So no, there's nothing they could have done to lock it down to prevent piracy. Not even if they wanted to.
Android is built on linux yet it is increasingly locked down and many phones are extremely difficult to get root access on.
So Valve could have followed the phone ecosystem path and pushed as much of the feature set as proprietary code as possible (binary blob drivers, proton proprietary instead of bsd), replaced pacman with a valve controlled package manager & repos, setup selinux to give users no power to do anything and made the deck only able to secure boot steamOS signed by Valve. Technical users may be able to jail break such a device but the majority would not be inclined to.
Valve's wisdom here is in realizing that the majority are going to buy their games anyway but if you don't lock the device down then most of the technical users will also buy most of their games whereas if you have to go out of your way to jail break a device to install something fun then that device basically becomes a piracy only device from that point on.