I had thought cert pinning was a normal further step after use of CA certs.
No, they are independent, because the CA's cannot be trusted. CA's are 3rd parties in it to make money, seamless browsing as a coproduct, not to provide e2e or endpoint security or insurance. And many CA's in global cert stores are pointless and risk of state coercion or rogue. Pinning is between you and owner of the server, period, as it should be. Non-pinned CA model is still a big MITM risk. Full DER cert pinning is fine if people believe CA's and the CA scheme, but the underlying pinning of the pubkey is what is actually securing the connection and is all that is really needed. Server owners really should be publishing signed hashes of their server certs in public on different infrastructure blockchains keybase twitter linktree etc, but they don't, so you have to ask them for hashes, which if done properly is better than believing some random CA's in a MITM environment.
How long's google been rotating their certs?
Years, but they probably still do not publish cert history so backverification is broken..