More and more encrypted connections are offered when when making use of provided services. Pi-hole is still depending on proxies or upstream servers to archieve that. This brings limitation to the complete usage of Pi-hole because it can not see which client made the request.
Update: going to bark up the DNSMASQ tree because upstream in Pi-hole is handled by them.
For upstream DoT is the most suited to be used as it is the direct repacement for the current DNS resolve requests throught TCP/UDP port 53. Which are not using encryption and could be looked at by a third party.
For downstream both (DoT and DoH) could be offered. DoH also makes Pi-hole externally available on locations were you are restricted in usage of the provided internet connection.