Unbound does DNSSEC authentication.
Between the two, Pi-hole and unbound, is it better to leave DNSSEC enabled in unbound and leave the pihole's disabled?
Unbound is doing the DNSSEC function, so you don't need to enable this in Pi-hole unless you want to see the dnssec status in the query log. That's all the Pi-hole setting toggles in this case.
is this correct? I assumed both unbound and dnsmasq would perform DNSSEC checks, if both are enabled.