I also brainstormed this idea of creating your own CA + public SAN cert.
A SAN cert (Subject Alternate Name) allows you to add aliases for the common name (CN) in the cert eg:
CN = pi.hole
SAN = doubleclick.com , googleadservices.com, etc etc etc
So everytime gravity runs to create the blacklist, the one SAN cert would need to be updated to include all the blacklisted domains as SAN entries.
But as this means the cert is generated new everytime the blacklist is updated, all the devices would start complaining about the untrusted cert again and you will need to trust/install the cert everytime on all your systems that use Pi-Hole.
And I am not sure how many SAN entries can fit in a SAN cert and how large the cert would be if it included all the blacklisted domains.
Maybe the clients wont complain about the new cert everytime if you use some sort of CA chaining but I have not looked into that yet.