SERVFAIL or REFUSED is also not helpful to the end user. They should return the IP of a host serving a static single-page website explaining the issue.
>>majews+(OP)
REFUSED will trigger a lookup on the next DNS server in the list, which may not be Cloudflare, instead of guaranteeing the user can't go to the real page.