Thanks for your reply. 
My goal here was to end a port conflict between containers (or rather, between pi-hole and every other container).
I can command each container to use a specific network interface, so I’m letting the pi-hole stay on its own interface (eth0). It apparently has to have direct access to :443 traffic, since SSL ads are (apparently?) a(n Adsense?) thing. Thanks, Google.
The USB interface is getting every other container. These include public-facing micro-services. This was the easiest way to solve the port conflict on :443, and has the additional benefit of just letting me pull a single cord to kill all public-facing incoming network connections, without taking down my internal DNS.
Pi-Hole does not support SSL connections without some sort of deep magic I don’t understand, so even though I can reverse proxy it, figuring out how to actually do that will take more time than I actually have. (If/when I reverse proxy pi-hole, I could theoretically get back down to a single ethernet interface without port conflicts. Apparently, the pi-hole team just assumes everyone will use a VPN to manage it from outside the network, which is … annoying.)