From my point of view, you’re wasting time and resources for a long-term maintenance-intensive redesign of the outdated dnsmasq. Moreover, such integration unnecessarily increases complexity and makes troubleshooting difficult. A clean unbound implementation would be better.
It offers everything you need in small environments - caching, DNSEC and especially QNAME minimization. https://ripe72.ripe.net/presentations/120-unbound_qnamemin_ripe72.pdf
Any DNS forwarding assumes that the DNS service is trustworthy. For which one do you put your hand in the fire? For privacy reasons it is currently no alternative for DNS in conjunction with DNSSEC to use DNS resolvers with QNAME minimization. Don’t you learn anything from the various data protection scandals, as recently on Facebook? I use a RaspberryPI with unbound and QNAME minimization as forwarder.
Most of all DNS requests come from the unbound cache in addition to the local pihole cache.
If you don’t want to give up dnsmasq completely, at least offer a clean integration of a local unbound-installation next to the dnsmasq, so that at least only a local forwarding has to be done.