As I understand it, the classes in the System.Security.AccessControl namespace like RawSecurityDescriptor, RawAcl etc provide managed representatons of the information in the corresponding Win32 constructs. So an instance of RawSecurityDescriptor is a .NET object, with fields which are also .NET objects (including, for example, two RawAcl objects for the DACL and the SACL). This managed representation is not directly related to either the absolute or the self-relative form of unmanaged SecurityDescriptor.

The RawSecurityDescriptor class provides conversions to and from the managed representation, one to the textual SDDL representation (not relevant to your question) and one to what it calls “BinaryForm”, which corresponds to the Win32 self-relative structure, representing the SD as a contiguous array of bytes.

Your managed code sample uses the ctor for RawSecurityDescriptor which converts from the self-relative byte array stored in the registry, to the managed representation. The changes are then made to the managed representation using .NET code, and at the end the GetBinaryForm method is called to convert the amended SD back to the self-relative unmanaged form to store in the registry. Thus the managed code never needs to concern itself with any absolute SD structure.

Unmanaged code does need to make the conversion each way because some of the Win32 APIs called to change the SD require the absolute form.