If Tailscale is on, I can't concurrently run a DNS-blocking local VPN, so I see ads in mobile Chrome.

Put a Pihole container on your homelab which you have the Tailscale exit node on and then set it as the forced Tailnet DNS.

Could host it in the tailnet?

You can but it’s a lot slower.