And if you are going to have a public facing webserver, you aren't going to waste your port-forward on Pi-Hole alone.
Personally I use Let's Encrypt with Nginx as a reverse proxy for my home network.
The other problem is if a user is already using Let's Encrypt on a raspberry pi,,, having it as part of the Pi-Hole setup process might destroy a previous configuration. Pi-Hole isn't necessarily the first/only thing being installed on a single device. (even though i wish I had a dedicated pi just for it.)
Perfectly safe if there is no external access to the webui. If you need access to the webui remotely, install openvpn, and then connect to it. I don't allow direct access to my Pi-Hole, nor do I think that's a good idea.