Which represents a reasonable number of side channels the bad guys have to choose from ( though obviously most of them will use Google or Cloudflare ). Until the commercial feeds and firewall providers start listing them as a category you probably want to add them to your DNS RPZ (or equivalent) to break the initial lookup of the DoH server. Obviously there’s nothing to stop applications/scripts using IP address rather than names at which point as ever it’s play whack-a-mole and block the IPs at the firewall if possible ( Google currently make this tricky ).
If you’re feeling lazy I’ve collated the DoH addresses from the above lists into a RPZ feed to provide an NXDomain response. Though obviously you should verify this and not trust me but like I say if you’re feeling lazy then the feed is “doh-no” via “ns.scramworks.net“. I’m using it myself so I’ll make fairly regular updates to it, serial is in normal YYYYMMDD## format.
* I’m fairly sure that Mozilla claimed that DoH was meant to give users more choice and trust but what do I know.