The specific device (iphone) in question has MAC address ending in C3:8A and has the static IP address ending in .200. I've made sure the device is not using hidden/rotating MAC address so the DHCP address is stable.
The device is also part of a client group (id 3), and blacklists/whitelists are set up such that all fb/ig domains should be allowed. However, they are not:
Parts of your debug log are inconclusive, e.g. the Ports in use section shows lack of binding for Pi-hole's port, while Pi-hole log shows queries to be correctly answered.
This could be expected:
Are you running Pi-hole in some kind of virtualisation environment?
Your group assignment looks OK. Just to for trying: please define the IPhone by it's IP (.200) and not by it's MAC as a client and see if makes any difference.
While seemingly a stronger identifier than IP addresses, MAC addresses are only visible on the same link / network segment.
Any L3 switching network equipment (like additional routers, access points, or certain switches), and all traffic from devices connected through such equipment will appear by that equipment's MAC address.
If your iPhone would connect in such a way, that would explain your observation, especially if the iPhone would be the only client with client-specific filtering rules in Pi-hole.
In general, using an IP address for filtering would be preferable, even more so if you can ensure that devices always have the same IP:
Contrary to a MAC, the IP address is directly observable in a DNS request, so the client match doesn't have to be deduced by third-party knowledge (like information from arp or ip neighbor).
