You're not wrong, but you're hiding the issue. We know about DNS and how to block it, detect it, log it, redirect it. We have a few scenarios to consider:

A Trojan makes DNS requests for strange stuff using the OS / network provided DNS servers. We (admins) see it, and we do something about it.

A Trojan makes DNS requests directly to 8.8.8.8 or some other hard-coded server. We (admins) see it and we do something.

A Trojan makes DNS using DoH via random IPs on the Internet. This is harder to detect, but if we see random small requests from a process to https on the Internet and we don't know what's going on, particularly if there are no local DNS lookups which correspond to those connections (or later connections which were looked up using DoH), we (admins) think this is suspicious and may look in to it.

Or, should DoH become pervasively used, we see lots of DoH requests to common DoH servers (Cloudflare, Google), and we just have to accept that we no longer have tools to look at DNS for suspicious behavior, and we can't ever know whether connections happen because of a legitimate lookup, or because of hardcoded IPs, or any other reason. Couple this with the nature of "the cloud", and we now have a scenario where there's literally no way to know what connections to Amazon AWS or to Cloudflare correspond to, are for, or why. So you've undone our own control of our own networks.

If DoH does become pervasive, we're going to need "firewalls" at the application level on every client machine to protect ourselves from individual applications which could be Trojans or viruses. We'll have no way to track command-and-control for botnets. And since Cloudflare doesn't give the tiniest care about abusive behavior, we have breeding grounds for botnets which can easily be legitimized by simply being Cloudflare customers.