DNS in its classic form is certainly flawed, as it does not address concerns with regard to security, authenticity, integrity, confidentiality or privacy at all.
I have replied to similar topics on several occasions in the past, so let me also refer you to DNS Encryption and the future of PiHole - #4 by Bucking_Horn.
Also linked there, DNS Security: Threat Modeling DNSSEC, DoT, and DoH supplies a thorough overview of the current efforts to accomplish more secure DNS operations.
Yet I strongly doubt there can be such a thing as a single best set of settings for Pi-hole.
I presume everyone will settle for those settings that are optimal for their use case, based on more or less complex personal preferences, be they explicitly known or made unconsciously.
Also, discussions on security and privacy of DNS traffic should take into account supplementary procedures outside of Pi-hole as well (like using unbound or employing DNS-over-TLS etc.) as well as the network environment you are operating from (like home, work, wifi cafe, etc.) and your actual users (like family mebers, kids, visitors, colleagues etc.)
You may come up with different solutions for any one combination of the above (not even weighing in other factors I deliberately fail mention here).
With regards to DNSSEC:
Your preference for DNSSEC is justified, as it is the only standard I am aware of that addresses authenticity and integrity including that of DNS records.
However, it falls short on privacy and confidentiality, as the receiving end (i.e your chosen upstream DNS provider) still has full and unrestricted access to your DNS history.
However, enabling DNSSEC on an RPi may be a frustrating experience, as RPis lack the RTC that is elementary for providing correct time which DNSSEC relies on for working, so I wouldn't recommend it without reservations.