See this post for why it fails in your browser and a possible script-based workaround.
Regarding the general idea, the CNAME disclaimers are correct but I'd expect Google to have sorted the SSL aspect if they're promoting this as a way to force safe search. When I try it with Unbound it returns BOGUS results, meaning the domain info doesn't match what I requested, which I'd imagine is correct. I suggested using a non-DNSSEC upstream and disabling DNSSEC in Pi-hole as a possible way to avoid that, but I don't know if it's relevant.