There's a good post on using HPKP (the key pinning mechanism for HTTP) here:
The tl;dr is:
- Pin to multiple independent CAs
- Pin to a backup key you keep offline (in a safe/bank vault/etc.)
The backup key will be useful if both CAs are compromised (or stop issuing certificates that chain up to one of your pinned keys). At least for HPKP, the pin will be satisfied if any of the keys in the chain match - including the key of your own certificate (typically called end-entity certificate), so using that key in the CSR you use to request a certificate from a new CA should satisfy the pin. I have not personally used TrustKit before so I can't guarantee that it works like that as well, but it would seem counter-intuitive to do it any other way.
As for the keys you need to include for Let's Encrypt specifically, ISRG Root X1 and DST Root CA X3 would be sufficient. Technically, even DST Root CA X3 would be sufficient right now, but to keep things future-proof, including the ISRG root can't hurt. Either way, you should count those two certificates as one CA with regards to the "pin to two independent CAs" recommendation.