DNSSEC doesn't quite work that way. All DNSSEC does is sign the records so that you can tell if the query response was modified in route. Having an upstream or a provider with DNSSEC enabled doesn't change the records at all. You can have a client or Pi-hole with DNSSEC disabled and a provider with DNSSEC enabled. You just wont have the verification of the record if it was signed. And not many domains/zones are actually signed.
Yes, otherwise you're just doing a plain query and won't use the DNSSEC information (if provided) to verify the query response.
I think you may be confusing DoT or DoH that set up encrypted connections between the client and the resolver?