[tptacek]

With respect to your OS versus your browser, you're using "trust" in a different way than I am. Obviously, you have to "trust" your OS in a strict engineering sense; if the kernel is compromised, nothing the browser can do will meaningfully mitigate that. That's not what I'm talking about. I'm saying I "trust" my browser developer to care more about DNS security than I "trust" my OS vendor, just like I "trust" Chrome's X.509 handling more than I "trust" the certificate validation code that ships on the OS. It's not that I think the OS developers are malicious; quite the opposite. I just believe, with some evidence, that they're not incentivized to adopt modern security mechanisms for those features.

My operating system ships with IPSEC VPN support. I'm not going to use it, even though I think highly of the poor souls tasked with maintaining it for Apple; I use WireGuard instead, because I trust Jason and, more importantly, Jason's incentives, more than I trust Apple. I certainly don't feel like I need permission from my OS (in the form of them formally adopting WireGuard) to do so.

With respect to endpoint security – I assume really what you mean is the security of the resolver server that you use, which can indeed monitor your DNS requests – yes! You do have to trust the DoH server with your requests. You should choose one that you do trust. But because your US ISP is already violating that trust flagrantly, you're almost better off with any off-network DoH server you can find. Really, if you're a stickler, you'll just run your own DoH server. You can't do worse than the status quo ante.

I don't care about the "convolution" argument.