I use quad9 with DNS over TLS systemwide with openbsd unwind
unwind.conf config
forwarder { 9.9.9.9 port 853 DoT 149.112.112.112 port 853 DoT }
preference { DoT }
firefox's use of cloudflare for DoH is irresponsible, and possibly worse than just sending your DNS queries to your ISP's default servers. It would be in line with Mozilla's other practices though.