Is it possible for devices to ask the pihole without doh, and the pi-hole to forward the request with doh if the domain isn’t in the cache?

I suppose you’re right, but forging that kind of thing would be difficult, also considering the PKI already in place. If someone has their own email server and they sign/encrypt their email, and host their public key on a key server somewhere, it’s highly unlikely that all three would be compromised. and even if that fails, you could just meet up with them and exchange flash drives with keys.

What’s stopping someone from just sending public keys or something through Signal and encrypting their messages that way? There’s no way to enforce this with such simple loopholes present. We shouldn’t be focusing on breaking privacy and instead invest in helping existing victims in ways that actually matter.