If you don’t force encrypted DNS then you are trusting defaults and defaults exist to benefit operators, not you.
https://untraceabledigitaldissident.com/force-encrypted-dns-every-device/
Thoughts on NextDNS and/or Mullvad’s approach? I run adguard and force lookups to NextDNS even for IoT devices. Also Tailscale with exit node VM as a VPN ;) Sometimes this will forward on Public/Portal wireless without auth.