Arrgh...
There's a balance to be found somewhere but right now I prefer to use Little Snitch to restrict adverts and tracking via the browser, and then private browsing over VPN as the next layer up. The problem with DNS over TLS or HTTPS is that Little Snitch can't tell me the domain that's about to be visited :-(
As long as it's an option, great. But the moment there's no other option, I (we all of us) need a way to be able to selectively block outgoing traffic - by domain name. Please.