Yes, I disable it using the suggested method of returning NXDOMAIN for "use-application-dns.net". I do also disable it in applications such as the browser to avoid the log entries.

    grep appli /etc/unbound/unbound.conf 
     local-zone: "use-application-dns.net." always_nxdomain

And then I have about 80 IP's that I blackhole. People often counter that with, "but DoH can run on any HTTPS endpoint and you can't block CDN's", and whilst this is true I have never run across a CDN performing front-ending DoH and I am the type of person that will block a CDN. I can route HTTPS for specific applications through my own VPN mesh if it came to that and use Squid SSL Bump MiTM proxies to sanitize URL's which I have done in the past. It would just be a couple ACL's in Squid to block DoH end-points. The only domains I can not MiTM are those still using public key pinning such as Paypal which I will never use, eff.org, and a few Google sub-domains. There are probably a few others I have not run across on my Squid proxies.

As a side note, I think PiHole should consider adding a feature for Squid MiTM proxy mode so that more people can do this, with options like peeling off specific LAN clients to use the proxy or force everything through it.

Blocking DoH at the router is almost impossible because it looks exactly the same as other HTTPS traffic.

The only option is to do a man in the middle like some business firewalls (eg zscaler) do.

I don't like DoH much either because apps can use it to bypass my local pihole. But blocking it is hard when an app hardcodes its own DoH server.

DoH is really a solution for a US problem that we in Europe don't have. Here it's illegal for ISPs to use deep packet inspection to datamine their customers.