I'm not an expert on what makes a "good DNS", but I have been using a pi-hole for about 5 years and it has been super stable the whole time, despite my best efforts.
As far as I read (I'm no expert!) they could check the SNI of the TLS handshake if they want.
But using the DNS of the ISP is handing them the data right in a way they can analyze/use them very easily afaik?
They route your traffic, hence they can see all IP addresses you communicate with. With a reverse lookup you can then usually find out the address too.
In the end it comes down to what your goals is. DOH indeed hides DNS queries from sniffers and your ISP, but the traffic between you and your destination is still visible for the ISP (unless you use a VPN or TOR).
If you only care about the content blocking aspect a third party resolver may make sense as @CrazyClown@lemmy.ca explained below.
Quad9 is decent, but there's some weird legislative issues (they can be court ordered to not resolve certain sites) BC weird reasons.
If you have a raspberry pi or similar sitting somewhere, you can set up a pihole DNS with unbound as upstream. Then you've got a DNS that's as private as you want, locally cached and with additional ad/malware/... blocking capabilities.