If it's malware behaviour you're worried about, DoH is not special in any way. Malwares using tunnels (and more) to ensure connectivity to their C&C servers are commonplace.
Of course DNS is used often; it's the most convenient. But the point isn't "sometimes DNS is used"; I never claimed "DNS is never used".
The point is "DNS is not the only way and malware authors have known and used this fact". The counter-convenience you seem to be looking for — to quote your prior statement, with added emphasis: "If malware has to talk to internal DNS servers ..." — was never there in the first place. No matter how hard you try, there is no way you can force all malware ever to always talk to your internal DNS servers.
* https://en.wikipedia.org/wiki/Fast_flux