Removing the file would definitely break some things for people, I was suggesting a rewrite of the mbed functions to only create the one certificate, without a CA. This is the most elegant solution to this self-signed problem, IMO.
If a malicious party were to host a pi-hole server, there's nothing to stop them from adding their own certificate with an AIA extension regardless. The only thing that AIA extensions provide is forwarding the full certificate chain to computers that connect to the pi-hole webUI; instead of the broken chain with only the self-signed certificate. If the user/computer connecting wants to write a program to automatically trust the CA from pi-hole, that's on them.
AIA extensions are ubiquitous, even the Let's Encrypt certificate for this discourse site has one; although I believe it's a bit too complex for something like pi-hole. There is another option that I did not mention, which would be to bundle the CA certificate in with the tls.crt. I am not sure how feasible this would be with mbedtls.