I'll add on to this thread late - if it needs to be elsewhere please redirect.
This is a question of "who do you trust least and why." I have configured various PiHoles with unbound as recursive local recursive resolver, and with cloudflared running DNS over HTTPS. One protects the integrity of my DNS lookups but the ISP can see them, the other hides only my DNS activity from my ISP but now I have to trust Cloudflare to get me the correct DNS and keep my searches private.
If i run my VPN I'm secure end to end for the most part, but how much do I trust my VPN provider? I use VPN only when I need to hide my actual IP and location (overseas TV and the like).
My simple questions:
(1) any significant performance differences between DNS over TLS and DNS over HTTPS?
(2) I know my ISP would have a commercial reason to monitor my online activity and perhaps shape my network traffic speeds. Is there any indication that Cloudflare is not on the up-and-up and that they would also have a commercial reason to sell my data?
Any opinions on what gives me the best overall privacy and security - running my own local recursive resolver (I see one of the developers does this with a cluster) and accepting that the ISP is either going to see the DNS requests and the https request; or going for greater DNS privacy only by going encrypted to a DNS third party provider (removing half the information that the ISP sees)?