Dnscrypt-proxy supports DNS over https (doh), oblivious DNS over https (odoh), DNS over TLS (dot), and dnscrypt (encrypted and anonymous DNS).
IP and domain blacklist. IP whitelist.
End to end encrypted.
You can use quad9, cloudflare, etc, or any provider you like.
I use https://dnscrypt.ca/about.shtml for my doh and as one of my dnscrypt servers.
Depending on your os it’s pretty simple to setup.
The reverse may be a better option(?), as you can completely remove / disable ALL google services (google play, google play services, google framework, etc.) within the work profile
I use insular, which is a fork of shelter/island.