Apps will make DOH requests from within their apps to avoid host-based DNS blocking.

This is nothing that wasn't possible before. Taking the traditional example of hosts-blocking the Adobe activation servers, what was stopping them from just querying 1.1.1.1 from the app? Or even falling back on a hard-coded IP? Especially with IPv6, bypassing DNS-based blocks is rather trivial - the main reson we don't see it all that much is that companies simply don't care to do it. Users of PiHole and similar are usually the kinds of users who will figure out a way to block whatever they want one way or another, so there's no use in trying to stop them. Until we get hardware-enforced app signing (big middle finger to Apple here) we can block anything, regardless of DoH.

You're right, I guess the question is did they bother before. If normal DNS works fine for 95% of users, the hurdle of implementing a non-standard workaround is too much. If DOH is the norm, then the hurdle becomes lower.

Of course you can just drop a rule blocking the IP address on your firewall, which will probably work for a while.

I would argue that the hurdle of bypassing DNS-based content blocking was already so vanishingly small that it doesn't make any sense to impede useful and practical privacy technologies on that basis.

You could make the exact same kind of argument about widespread use of HTTPS for example. Do we want to allow encryption technology if it means the enemy can use it too? As a society we have agreed that encryption is a net positive even though terrorists and criminals benefit from it, but when malware uses it then that's too far?

>I would argue that the hurdle of bypassing DNS-based content blocking was already so vanishingly small [...] //

That doesn't hold up under scrutiny. My pihole blocks ~11% of domain lookups (blocking 1000 queries per day for our household), turning it off vastly increases the unwanted content. It might seem is logical a ready hurdle, but it's a hurdle that practically works.

I don't follow the reasoning that says this is a small barrier to malware so we'll remove it.

What are we, end users, getting out of routing all our domain lookups to Cloudflare and ceding control of filtering?

The next step is blocking all the traffic from all apps and whitelist the IP addresses app by app. I did it on my Android phone, a couple of phones ago. I don't remember the name of the app. It could be done on a desktop or server OS too.