the isp blocks/redirects the traffic outside my network. so if you just try to send normal udp/tcp port 53 externally, it won't get there. This is why I mention a pihole; by setting my dns server to something on my local network and then having that use DoH I can get past the block. I can't configure every device to use eg DoT or DoH directly, but I usually can configure their port 53 nameserver, directly or via DHCP

the vpn provider, it's just a split tunnel thing; since that is a local process, yes they can hijack it. Originally when we switched to our current vpn provider it didn't even let us use localhost or loopback dns, but we needed that for the way we use docker in development, so now it's just anything except those being redirected.

I configure my router to divert all UDP/53 to my pi hole. The advertising industry hates this type of behaviour, but it means ever an IoT device using hard coded dns (rather than what I tell them from my dhcp or nd settings)

This is a feature. That some people choose terrible ISPs is a trivial problem to avoid, far easier than avoiding terrible user agents which are beholden to their advertising masters.

They absolutely can and some do. The destination UDP port number of a UDP packet traversing the core network of an ISP can be inspected and acted upon as one pleases.

They can do anything unless constrained by cryptography. I assume it just means redirecting all port 53 traffic which 99% of time will be DNS regardless of IP.