@ihavealegohead: Yes, I know about the Chrome settings, but I am more concerned with dealing with this globally, not browser by browser. Also with my IoT devices that hardwire access (e.g. 8.8.8.8 over HTTPS). It seems I've gotten rid of the last of those devices, since a floating rule I put in place to detect HTTPS connections to DNS servers is no longer getting hits.
As for pfBlocker displaying a secure page: if it blocks an HTTPS page, your browser will never show it to you. The certificate in use at that moment is an internal pfBlocker cert, while the browser is expecting to see a certificate for the domain name you entered (while it is asked to show the internal pfBlocker SITE BLOCKED page). Ergo there will always be a certificate mismatch.