Unbound DNS if compiled with --with-libnghttp2 can listen for DoH and your Unbound/Pihole can forward to any destination you desire. This is what it looks like on my firewall:

    # https://doh-int.mydomain.net/dns-query
        interface: [ip of lan port]@443
        interface: [ip of wifi port]@443
        https-port: 443
        http-max-streams: 220
        tls-service-key: "/etc/unbound/keys.d/unbound_server.key"
        tls-service-pem: "/etc/unbound/keys.d/unbound_server.pem"

Null routing the open DoH resolvers is just having a startup script that reads a list of all their IP addresses and

    ip route add blackhole "${IP}" 2>/dev/null

People will argue that DoH can run on anything which is true but all the major resolvers will always use dedicated IP addresses as to not risk blocking CDN end points.

If the childs account is not able to gain admin privs then their ability to change settings can be disabled.