To add to this, various things try to bypass the Pihole by doing their own DNS. Google devices skip the Pihole, and I’ll bet others do too. You can catch at least some of the bad behaviour by blocking all outbound port 53 traffic that isn’t from the Pihole, or redirect it back to the Pihole.
It's funny because at home apps bypassing my dns annoys the hell out of me but in China which is where I currently am DNS-over-HTTPS is necessary just to get online some days.
I just wish there was a manual captive portal check button built into browsers that forces a standard port 53 check because if I'm behind a captive portal I have to reset my dns settings to sign in before then switching it back to get my VPN to connect.
I’m sure this will be beaten though.