I think if you're going to pin, pin to something you control. If it's an API endpoint, you can use a private CA and have the app trust your root, and pin to that. Same end result, but you're not going to be stuck if a third-party you have nothing to do with decides that some part of the hierarchy needs to change.

That's the exact opposite of what I'm referring to.

There is a client that has a self hosted web service. Or a SaaS but under his own domain.

There is a vendor that provides nice apps to interact with that service. Vendor distributes them on his own to stores, upgrades etc.

Clients has no interest in doing that, nor any competencies.

Currently there is no solution here: Vendor needs to distribute an app that has Client's CAs or certs built in (into his app realese), to be able to pin it.

I've seen that scenario many times in mid/small-sized banks, insurance and surrounding services. Some of these institutions rely purely on external vendors and just integrate them. Same goes for tech savvy selfhosters - they often rely on third party mobile apps but host backends themselves.