If I'm an evil monetizing ISP or a great firewall, I don't really need to catch 100% of the traffic I'm trying to prevent. If there's a handful of people who can circumvent my restrictions, that's fine. As long as I get all the people trying to use popular DNS, that's good enough.
If I really do need to get that last bit, there's always other analysis to be done (request/response size/cadence, always talks to host X before making connections to other hosts, etc)
Not 100% of people need/care about such workarounds either though, so it works out.
For true government level interest in what you are doing, it's a much harder conversation than e.g. avoiding ISPs making a buck intercepting with wildcard fallbacks and is probably going to need to extend to something well beyond just DoH if one is convinced that's their primary concern.
If I really do need to get that last bit, there's always other analysis to be done (request/response size/cadence, always talks to host X before making connections to other hosts, etc)