As explained, once the app / device has obtained the IP address, using a regular A or AAAA query, it will than retrieve the SVCB data from that address, apple devices appear to be the exception (svcb query sent to system configured dns). e.g. example:
- dig A dns.quad9.net -> 9.9.9.9
- dig @9.9.9.9 _dns.resolver.arpa svcb
pihole doesn't see the second query, unless firewall redirection (to pihole) is working, thus the regex isn't applied. A lot of users don't have firewall redirection implemented (user doesn't know how to or firewall can't - device limitation).
Just to make things clear: the regex + firewall redirection should be an effective method to block all svcb queries. I always try to have multiple solutions for a given problem, hence, the suricata solution (suricata rule to reject dns queries, opcode type 64).