Interesting reading and technically correct, but there is a significant difference when you use unbound as a local recursive resolver. The articles discuss DNS resolvers that are open to the internet. The big DNS providers are aware of these risks and have implemented security measures to protect them.
Unbound will be running inside your private network, not open to the internet. So, DOS, DNS cache poisoning, unauthorized use of resources and root name server performance degradation are not going to be an issue unless you have a serious network flaw. The only DNS requests that unbound will see are coming from your private network, and your recursive resolver is invisible to the internet.
If port 53 on your network is not open to the internet, then nobody on the internet can make DNS requests from your network. The risk of an open port 53 is the same to you whether you run unbound or not. If somebody has access to your port 53, they can put as many DNS requests as they like. If this were the case today, they would make these requests and Pi-Hole would forward them to Cloudflare.
One more detail - unbound doesn’t listen directly on port 53 when set up per the guide. Unbound is installed on the Pi, and listens on the loopback address 127.0.0.1 at port 5353. So, this port can only be accessed from the Pi itself and Pi-Hole is the only client set up to send traffic to that port. So, all requests to unbound first go through Pi-Hole (and you’ll see all the requests).
One resource to test your network security is Shields Up. https://www.grc.com/x/ne.dll?bh0bkyd2
A port scan from here will identify any of your ports that are open to the internet. If you run this test and don’t have any open ports (particularly port 53, which serves DNS), then your local resolver will be private.
Here is how it should look if your network is set up properly: