On Windows, you can probably do this via GPOs. How does one configure a fleet of Mac or Linux machines? How does one do it with BYOD or on a campus of students' machines?
Perhaps some thought as to service discovery should have been done:
If Mozilla is going to re-invent the wheel (OSes already do DNS look ups), they perhaps should have asked the DNS folks (e.g., DNS-OARC) about some of the corner/use cases IMHO.
You have twenty different applications using DoH for “increased security” and you need a custom profile for each? Why not a single line in resolv_doh.conf?