What happens when they move from default dns to ech with pinned dns servers? I was reading about ech a bit yesterday so I could keep up with apps trying to circumvent dns filtering on my kids' devices.

Usually I require a root cert so devices can have their traffic inspected or be isolated into an unsafe network where most nonessential traffic is blocked by default. I suppose letting an iot device connect will become more risky in the future when I can't control the dns resolver or can't confidently block requests through dns alone.