when I said privacy I was had NSEC3 in mind. To be honest I have no idea how does it work / why is it a thing but it looks like it obfuscates (deleted?) subdomains to make it harder to enumerate them. This is why you see stuff like
Right. That doesn't really work: you can crack them like a 1990s password file, which is why there's whitelies (online-signer chaff records) to defeat that attack. Either way: it's not really what people think about when they think "privacy". It's generally the position of the architects of DNSSEC that domain names simply aren't private at all. Meanwhile: actual DNS privacy, of what domains you're visiting with your browser, is provided by DoH, not DNSSEC.