Recommended strategy for clients with hard-coded DNS?

Then people need to decide what their limit of bullshit is. If you are willing to accept blackboxes being attached to your network, to have all of your traffic flow through a device you have no say or control over, nor any real idea if it's sending everything that flows through it to an adversary you don't want, well all bets are off. Ad blocking won't be a concern anymore, you'll only be allowed to visit "approved" sites, speak the approved newspeak, read the approved blogs and sites, etc...

I wear tin foil regularly, but if you accept to have uncontrollable devices as Big Brother's Helper then you're screwed hard.

If your router doesn't allow to redirect traffic, it might worth looking if it has some kind of firewall settings. It might allow you to block outgoing traffic on port 53 except for your pihole. I have good experience with blocking outgoing DNS traffic for all devices except from my pihole - it forced Googles IoT devices to honor my DHCP settings and fall back to my pihole as DNS server instead of the hard coded google DNS servers.

Of course it is not guaranteed to work like that with all devices or still work after any kind of software/firmware update. But still might be worth a try.