For tracking web histories, end points are known. It's the DNS queries, HTTP traffic, web browsers and the OS themselves. Encryption means Eve can't know the message as long as Alice and Bob themselves don't tell her, and Eve has no way to force them. It's clear that if Eve can seduce, bribe, jail or torture Bob, the best encryption and strongest key is useless.
If Cloudflare has your DoH queries - it needs the plaintext to resolve the address - and the the FBI has the power to ask those data, DoH is useless to protect you from this specific threat.
Your provider will still see what IP you access even if the traffic payload is protected by HTTPS and the DNS query by DoH (it can't tamper with the DNS query, though).
A VPN would solve it (as long as the FBI can't ask them too), but if your Chrome browser sends your whole browsing history to Google for profiling, any VPN encryption is useless. When Windows 10 does the same, any VPN is again useless. What about Android? What about all the beacons in a web page, i.e. from Facebook? Can you trust your endpoint, and the remote one?
Maybe the spooks don't have access to any endpoint, but Google & C. often does. The spook just need to ask them. You need to be really paranoid and competent to browse without being tracked.