[Reelin]

Thanks for spelling it out like that - I think I might see the bigger picture here now. DoH (which incorporates DNSSEC under the hood) to protect the name lookup. IPv6 to provide unique addresses for every single service you connect to. The complete removal of SNI (as a security threat) and ESNI (as unnecessary complexity).

Pi-hole type filtering is then implemented based on IP blocks instead of DNS queries. Any unrecognizable IP address is default denied. Tracking, analytics, and ads could still be proxied by a remote host, but that can already happen anyway.

Of course, your ISP (or VPN, or anyone else along the network path) could employ the exact same approach to determine the services you connect to. Which leads me right back to DoH being largely pointless and Tor or similar being a hard requirement for actual privacy. Unless I'm missing something?