Ok, but what's the alternative?

Support for cert and CA pinning is in a state that is much better than I thought it will be, at least for mobile apps. I'm impressed by Apple's ATS.

Yet, for instance, you can't pin a CA for any domain, you always have to provide it up front to audit, otherwise your app may not get accepted.

Doesn't this mean that it's not (realistically) possible to create cert pinning for small solutions? Like homelabs or app vendors that are used by onprem clients?

We'll keep abusing PKI for those use cases.

I think if you're going to pin, pin to something you control. If it's an API endpoint, you can use a private CA and have the app trust your root, and pin to that. Same end result, but you're not going to be stuck if a third-party you have nothing to do with decides that some part of the hierarchy needs to change.

That's the exact opposite of what I'm referring to.

There is a client that has a self hosted web service. Or a SaaS but under his own domain.

There is a vendor that provides nice apps to interact with that service. Vendor distributes them on his own to stores, upgrades etc.

Clients has no interest in doing that, nor any competencies.

Currently there is no solution here: Vendor needs to distribute an app that has Client's CAs or certs built in (into his app realese), to be able to pin it.

I've seen that scenario many times in mid/small-sized banks, insurance and surrounding services. Some of these institutions rely purely on external vendors and just integrate them. Same goes for tech savvy selfhosters - they often rely on third party mobile apps but host backends themselves.