[EvanAnderson]

I agree with you, but the counterargument that'll be made against you is "you should be doing that on the endpoints".

That counterargument ignores the fact that you can be the owner of an endpoint but not be permitted, by manufacturer's policy, to control the software running inside. That's what you get for purchasing a proprietary device.

So, as the network operator and owner of the endpoints in the world of DoH (and pinned certificates), you end up being left with the decision to "vote with your wallet" and simply not purchase devices that don't afford you influence on name resolution (or whatever functionality we're talking about)

The counterargument goes on to say that the manufacturers of these sealed-box devices can functionally do this today anyway simply by implementing their proprietary name resolution (content delivery, etc) protocol.

It was all fun while it lasted.