Apps can (and do) absolutely use DoH themselves. One way to mitigate is to block DoH IPs (RethinkDNS' on-device network logs are quite comprehensive). This isn't full-proof, and so, a feature we have been contemplating is, firewall would auto-block IPs not resolved by user-set DNS resolver.
Yes, there's an IP firewall too.
Apps can (and do) absolutely use DoH themselves. One way to mitigate is to block DoH IPs (RethinkDNS' on-device network logs are quite comprehensive). This isn't full-proof, and so, a feature we have been contemplating is, firewall would auto-block IPs not resolved by user-set DNS resolver.