You can pre-share the certificate out of band, or set up your browser to TOFU like SSH does. Then they are not useless and may be superior to PKI for certain threat models.
They're not useless. And I'm well aware of how MITM attacks work. Any hops along the path from my VPN endpoint to the server unencrypted can be, and are: viewed with plaintext. With a self signed certificate I can choose to accept the certificate or not. I'm not arguing to use them, I'm saying I've moved on from http, which is reasonable for me to do in today's 'get all of their data' age.
There's a reason most default self signed certs are called "snake oil".