and traffic between unbound and root dns is encrypted (if I'm not mistaken.)
so my VPN encrypts all traffic and unbound does the same with dns requests.
We are not involved in the development of unbound. However, looking at man unbound, I see an option called forward-tls-upstream: yes which seems to suggest using TLS.
Note that using DoT has several disadvantages, the most severe one being that you cannot use TLS encryption to the root servers, instead, you have to specify upstream providers that support DoT (e.g. Quad9 or CF). In my eyes, this causes additional problems because you allow them to collect your DNS queries which is exactly what you prevent by querying the root servers directly with unbound. Also, this just encrypts the traffic between you and the upstream provider. It does not protect their requests to the root servers so you should only consider this when you are in a situation where you can ultimately trust these providers (offering an expensive service for free... ) and cannot trust your own ISP (whom you pay money for their service).
I read your answer carefully. And I thank you for that. you have noticed, I suppose, that I have no confidence in the Internet service providers as to their discretion on DNS requests. This is also the reason why I chose to directly query the root servers. So I will stay on my current configuration, even if the flow goes unencrypted between unbound and root DNS servers.
Also keep in mind that DoH / DoT is not the holy grail for privacy. Your ISP (and others) will still be able to see where you connect to.
Think of it like this:
DNS is like asking someone for directions. After you got them, you go there. So even if you trust the person whom you got the directions from more than your ISP, your ISP can still just follow you walking over there and see who you visit.
Example: when your laptop gets a DNS reply from somewhere (e.g.: ISP, root server, anything upstream really) for website.com, and receives IP address 1.2.3.4 as a reply... then your browser connects to 1.2.3.4 which is visible to your ISP (and others upstream). Even when the DNS query was done over DoT or DoH.
It does not matter even if the IP you connect to hosts multiple websites. While TLS (HTTPS) may encrypt the HTTP-protocol host-header which is needed for virtual hosts, its SNI outside of the encrypted stream that is easily readable for anyone along the way.
Folks are working on ESNI, which could encrypt this. But this is far from being the standard yet. It also is far from being perfect, as the ESNI proposal still has a flaw in the design itself.
Even with ESNI or an improved successor, your ISP and others "along the way" will still be able to see which IP you connect to. So its not hard to figure out what site you visit if "they" wanted to.
Since its a rather complex topic, with lots of stuff involved, let me try somewhat to give an overview:
Browser ad-blocker
Versatile in blocking individual ads and objects in content.
Not protecting all of your network or device, just 1 browser.
Pi-hole
Protecting all of your network and devices, if configured right.
Can only block on a DNS (domain) level, not individual ads and objects in content.
TLS (HTTPS)
Prevents parties from viewing/altering the content you receive and send.
Does not hide what sites you connect to.
Could be circumvented by ISP's using MitM (for DPI/content-injection).
DNSSEC
Prevents parties from altering DNS responses along the way back to you.
Handy to prevent DNS-based ad-injections by ISP's and other foul play.
Does not protect against ISP content-injected ads.
DoH/DoT
Prevents parties from viewing DNS queries & responses to some extend.
Root servers do not offer encryption, so you will need a third-party (can you trust them?).
The "last mile" to the root servers is always unencrypted (thus far).
You can host your own DoH script on an external server, as an alternative to Google/CF/Quad9.
No true privacy benefits against ISP's, since you connect through them after you received your DNS response anyways.
VPN
More privacy (your ISP can't see what you visit, unlike just DoH/DoT). But your VPN provider can.
Costs money (faster/decent ones do at least).
Only as good as you trust them to be (do they really not keep logs or mess with your connection?).
Harder to do your own DNS (e.g.: use pi-hole as an (ad-)blocker) out-of-the-box.
As you can see filtering out ads and other bad stuff, and also keeping a high level of privacy, is a major undertaking that requires a combination of techniques and a lot of technical know-how. And even then its never perfect I'm sure.