Well, you cannot patch the vast majority of the software in your computer (assuming you are like the vast majority of users using proprietary crap for everything). That does not mean it is all unpatchable. If supermicro care, they could release a BMC update, for example.
That's silly. Unless your users are on throttled dial-up inet, and you're trying to feed them several volumes worth of text (a MB or so?), pre-rendering text on the next page is not a good enough excuse. This must mean you are using some large framework to deliver text and present your website. HN seems to be able to deliver tons of text to users without javascript bullshit, why can't you?
Sending the pihole admin password in a non-https url query string seems like a bad idea. You might argue that your network is 'trusted', but then I'd remind you that this pihole device is designed to intercept all dns on your network, and would be used quite maliciously if compromised.
Exactly what my stance is towards sites that 'need' crap to work. My favorite are news sites/blogs whose primary content is text, but display a completely white blank page when the adblocker is up. (some even do this when you disable JS too. why JS is 'required' for displaying any text is beyond me)
The key piece is whether curl performs hostname verification of the cert, or not. Their ssl certs page is unclear[0] (they go off into the weeds about self-signed certs). If they are not verifying the hostname, then your argument is completely off base since it's basically "you trust a person who signed a thing" vs "you trust a thing you got from someone who has a cert that is trusted by a CA on your system" (and that's pretty trivial to get considering how many 'trusted' CAs distros/OSes ship by default).