If I get access to those devices, yeah, sure. But in practice, I'd argue this actually reduces privacy for users, as it gives apps and devices a secure path through the network which cannot be monitored by any intermediary - including the user of the app or the owner of the device themselves. So no chance to find out what kind of data is being transmitted there either.
To me, DoH seems less about protecting the user from attackers and more about protecting apps and devices from the user.
I think your point is 100% correct but surely you understand that this applies to HTTPS too. Network filtering would be so much more powerful if my pihole could modify and block HTTP requests in-flight.
One way to limit this would be to add IP resolved through an approved resolver to a temporarily allowlist for a firewall. The firewall would default-deny outbound network requests. Allowlisted IP would be permitted, but be removed from the list after the TTL for the DNS request expires.
Of course, you'd have to add in some permanent exceptions once you realize just how much hardware and software implodes as a result of this.
Some expected, like peer-to-peer applications, though those allow you to define an outbound ephemeral port range you can limit them to (except perhaps for some poor implementations in commercial game launchers trying to offload bandwidth costs). So some are fairly easy to define.
Others you'll have to log and see. Like your Google Home hardware..
I got some minis and disabled the mics since they had hardware switches. I hacked around a bit emulate sending them audio programmatically and discovered they use external DNS and therefore couldn't resolve the local network web server hosting the audio clips I wanted to play. So I had to permanent-lease the hostname's IP and give it an IP address.. They were already bypassing local DNS blockers years ago.
> add IP resolved through an approved resolver to a temporarily allowlist for a firewall
That ship has sailed now that some of the functionality provided by TCP moved up to HTTPS. Whereas in the past you could expect the same IP to expose DNS on port 53, FTP on port 21, or HTTP on port 80, now the same IP will serve you everything over the handy port 443.
So a software developer can very well go this route if they want to obfuscate DNS calls and you wouldn't be able to discriminate the traffic like you would today with ports.
Any global (OS/network) policies become meaningless if your browser or app decide to only ask the DoH resolver "who is google.com" or "who is facebook.com" once, and have all subsequent queries go that way inside an encrypted HTTPS stream.
Key word is any single intermediary. The announcement even explicitly says "no single entity can see both at the same time".
I wonder what it would be like if there were multiple entities in cooperation, each sharing their component of your request with their partners to recover the entirety. You could cover the entire planet with access to even as few as three or five or so large networks.
To me, DoH seems less about protecting the user from attackers and more about protecting apps and devices from the user.