How could it be the "most secure"? How do you as a client verify the self signed certificate is the right one? If someone MITM'ed the certificate and you've never used it before how would you know that the certificate was intercepted? Who do you go to verify you've got the right certificate? That doesn't sound secure at all. It's like asking potential a liar to swear to you they aren't lying and not asking someone else if that person is possibly being dishonest. Sure central certificate authorities have their problems as a concept, but at least that someone else verifying the cert is the real one.
In general, you'd be right; in parent's hypothetical scheme, the trust model is different because your systems exist on both sides of the exchange (in normal Web communication, this obviously isn't the case). You simply configure your clients to only trust this single certificate that you yourself created and installed on your server. No one could MITM you unless they recreated an identical certificate from scratch, which is mathematically challenging.
Note the "if you pin them" part. Pin in this context means you have the identity of the specific certificate stored on your client, and so you are not depending on whether or not it is being declared by some CA to be be valid for the server in question. Instead you are expecting that exact certificate.
That it is a private cert does not make it any more secure, but pinning is more secure, and with a pinned cert, having the cert signed by a CA gives no additional security.
Because it's your cert that you just installed on your server, so you know its thumbprint.
This is effectively what you are doing every time you connect to a server over SSH and say 'yes' to that message with the funny string asking, "Are you sure you want to connect?" It's analogous to pinning a self-signed certificate.
