[throw0101a]

And for that you need TLS tickets/cookies, don't you? (So you can resume your crypto state.) Isn't that a good way to track users?

Instead of a query coming from an IP (probably NATed with IPv4), you can identify individual browsers AFAICT.

[tialaramex]

The DoH server gets to track users if they use a resumption method, yes. As I understand it Firefox puts extra work in to ensure that it doesn't share the backend cache between your HTTPS service and the DNS resolver so there's no risk that if the DNS service and the HTTPS site you're visiting are owned by the same people they can correlate that, but they would be able to see that it's the same browser asking for say, camelporn.example and visit-arabia.example

If you disabled resumption you could get rid of this issue at a cost of one extra round trip per DNS lookup.

Nobody else gets to track users this way (at least in TLS 1.3 and I'd assume DoH implementers will use TLS 1.3 since they are of similar vintage) because the keys aren't re-used so the identifier for the key will just appear to be random noise each time.