Points 2-7 can be done with blocklists / regex for the most part, no need for anything fancy.. but some effort is required from the user to source/maintain their own lists for this.
DNS Rebind Protection can be enabled by adding the following option in a custom configuration file under /etc/dnsmasq.d/.
stop-dns-rebind
Reject (and log) addresses from upstream nameservers which are in the private IP ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network.
Be sure to check dnsmasq documentation for correct application of related options rebind-localhost-ok and rebind-domain-ok, especially when using local upstream DNS servers for Pi-hole (like unbound).
How do you envision Pi-hole doing this? If a ciient bypasses Pi-hole and Pi-hole does not receive DNS requests from that client, what can Pi-hole do to force that client to use Pi-hole?
LoL, most people use the web interface at least all the people I know, just go Reddit and ask. If you don't make features available to the web UI most people won't use them. And of course it they are available in the web UI is because they can be use via cli
Like any other DNS service? Blocking all domains related with web proxy could be a start, of course it won't be infallible.
Or we can ask Nextdns what are they doing