Your adlist URL is assigned to the Default group plus one other group (the one that ends in "2").
You also have your kids group. There are a load of rules and they are mostly assigned to the kids group, as you describe. And you have what looks like your kids laptop and phone assigned to just that group.
This means the kids will get the blocking and whitelisting from your rules but won't get the blocking from the adlist. So if you turn off their group they have no blocks at all (nor any whitelisting, but since nothing is blocked that becomes irrelevant).
To fix that, add the kids devices (in the Clients section) to both the kids group and the Default group. Now they will have the blocking of the adlist URL plus the additional rules you have added for the kids group. When you disable the kids group they will still have the standard blocking of the adlist in the Default group.
Without knowing which groups and clients are exactly which it's tricky to advise more but that's the idea – have the Default group with adlists and some rules assigned to it, then have another group for the kids with their adlists and rules assigned to it, and then put the kids clients in both groups, so they get the normal Default blocking all the time, plus the kids blocking when the kids group it turned on.
The other thing is that their devices may be using other DNS servers. For example some Android devices automatically pick up whatever DNS the DHCP gives them (in your case that's the Pi-hole DHCP server giving them the Pi-hole to use for DNS), but automatically add Google's DNS as an extra option. If their devices are doing that then they will be able to bypass Pi-hole. In addition some apps may have DNS hard coded in or simply use fixed IPs directly and ignore all the local DNS. Also the kids may know enough to simply change the DNS settings manually to use something like Google, bypassing Pi-hole completely, or even just come off the wifi and onto mobile data.
A couple of ways you might be able to to handle that on wifi – if your router supports firewalling, you can block DNS leaving the network from anything other than the Pi-hole. If it's a more advanced firewall you can even redirect such requests to the Pi-hole so all queries are foced to go via it. Or your router may support parental controls, where certain devices can be restricted at certain times. Some mesh systems also support this. Neither of those are perfect by any means but they can help if available.
Here is a Roblox blocklist, it's a bit out of date but might be useful. To add this into the mix you would add it in the Adlist section, then assign it to just the kids group. Then do a gravity update. When the kids group is enabled, the kids devices (which are in the Default and kids groups) will have the Default adlist plus this one (plus your rules).