I see the lack of cert pinning as a sign of having a good security team. Pinning is usually implemented as "we had an external security audit and their report said we should". Security auditors and pentesters tend to add this kind of crap (alongside root detection and obfuscation) to their reports to pad them out and make their work sound more valuable to the paper-pushers. So either Lyft had their audits done by a competent provider, or their staff know enough to filter this bullshit out. Either way, props.