Fixed!

The problem is in the NFS server configuration!

TL;DR:

Remove --manage-gids from the RPCMOUNTDOPTS in the file /etc/default/nfs-kernel-server on the NFS server and restart the nfs-kernel-server service.

Research

So I found out that if user www-data had pihole as the primary group, I was able to write the gravity.db. As soon as I made www-data primary again and pihole the secondary group again, the permission was denied. However, if I did the same on the NFS server (by adding group 999 as a secondary group to user www-data), all was fine!

So now I knew it had to do something with the NFS communication. After some DuckDuckGo-ing I found this quote:
NFS permission problem with secondary groups

rpc.mountd(8) - rpc.mountd - NFS mount daemon

-g or --manage-gids
Accept requests from the kernel to map user id numbers into lists of group id numbers for use in access control. An NFS request will normally (except when using Kerberos or other cryptographic authentication) contains a user-id and a list of group-ids. Due to a limitation in the NFS protocol, at most 16 groups ids can be listed. If you use the -g flag, then the list of group ids received from the client will be replaced by a list of group ids determined by an appropriate lookup on the server. Note that the 'primary' group id is not affected so a newgroup command on the client will still be effective. This function requires a Linux Kernel with version at least 2.6.21.

This means that when --manage-gids is passed, the NFS server will try to replace the secondary groups with 'an appropriate lookup on the server'. I'm not 100% sure what that means, but in our situation it had undesired effects.

Fix

So to fix our permissions problem here, I have edited my /etc/default/nfs-kernel-server file on the NFS server and commented the line RPCMOUNTDOPTS="--manage-gids".

Now it works with a fresh install with values.yml PVC:

persistentVolumeClaim:
  enabled: true
  storageClass: nfs-client
  accessModes:
    - ReadWriteOnce

And the default file permissions:

root@pihole-xxxxxxxxxx-xxxxx:/# ls -lahF /etc/pihole/
total 91M
drwxrwxr-x 3 pihole pihole 4.0K Sep 30 05:50 ./
drwxr-xr-x 1 root   root   4.0K Sep 30 05:46 ../
[...]
-rw-rw-r-- 1 pihole pihole  67M Sep 30 05:47 gravity.db
[...]

Hope this helps!

Note: The config file also recommends to read http://wiki.debian.org/SecuringNFS, so that's a good next step. :-)

PS: Thanks to @i5Js, your research helped a lot to pinpoint the exact problem!

Thanks to @brnl for this, as discussed here: #39 (comment)