I mean a user could as easily pass in some malicious code in $cmd using open($FH,"$cmd|") as in using `$cmd` or am I missing something?

The difference is that the pipe open supports a list form, so in open my $handle, "$cmd|", $arg1, $arg2 the $arg1 and $arg2 don't evaluate shell meta characters; if they are user-supplied, they generally can't execute arbitrary code.

Whereas if you do `$cmd $arg1 $arg2`, and one of the arguments is user-supplied, having $arg1 = '; rm -rf ~/*' might cause much more damage.