Oh I know but so far you can still ask both Firefox and Chromium to not use DoH and hence force them to use port 53 and from what I've seen they really honor that. For the moment.
I don't doubt that in a not so distant future we may see companies hardcoding DoH into apps without any possibility of removing that setting!
What I do is no panacea but it gets rid of a lot of things.
> There are so many sneaky ways to resolve a hostname an app or device can choose to use now.
But I whitelist apps that can connect to the net. Browsers, apt (for Debian/Devuan package update), the one that update the NTP/time, SSH out and that's basically it.
I know it's a game of whack-a-mole, but I'm still playing it : )