[tialaramex]

The problem with just solving DNS privacy is that Winnie doesn't care whether you "privately" resolved the name or not, blocking the entire server works fine when each server corresponds to one name. The ability of users to privately resolve winnie-the-pooh.china.example to 10.20.30.40 doesn't help when Winnie can just block 10.20.30.40 entirely.

One of the things we see with the Great Firewall is that you can reach some brand new service, and then a few minutes later (after presumably some automation span up, examined it and didn't like what it found) it's blocked.

In contrast under ECH Winnie can choose to have 10.20.30.40 blocked, and if the only things on it are winnie-the-pooh.china.example and kick-putin-out.russia.example then why not. But if it also features popular-website.example then that's a difficulty.

If it helps while I expect Cloudflare will continue as before, ECH is actually carefully designed so that intermediates can be set up to be able to discern that you want winnie-the-pooh.example and make that work without in fact knowing how to answer for that name. In effect you can sign up to have some popular host (e.g. Google, Amazon, or indeed Cloudflare) provide their servers for your names, but not provide your services and not have any ability to MITM you, they're acting as a sort of IP proxy instead. And some of the big names are clearly enthusiastic about enabling this capability, albeit for a price.