I share your reservations with regard to DoH (and strongly so), while at the same time I understand the motivations for better privacy of DNS requests. However, I've got the feeling that moving DNS lookups from the network towards client application control by default is hurting security more than it benefits privacy.
Your are probably aware that blocking of regular DNS-lookps to known DoH servers is already discussed as a feature request Blocking DNS-over-HTTPS (DoH) - #13 by Bucking_Horn, but currently assessed as out of scope.
Take a look, some of the posts there might already contain some of the answers you seek 