Conveniently, they do not mention that DoH does nothing for your privacy when someone can monitor your traffic.
Let's assume you used DoH to resolve a domain to its IP. Now you can be happy because your ISP (or any middlemen) cannot see where you go, right?
Wrong.
1a. If the target website has a dedicated IP, the bad guys can try a PTR lookup for the domain name,
dig +short -x 1.1.1.1
1b. or just check the certificate for the domain names it is valid for:
echo | openssl s_client -connect 1.1.1.1:443 2>&1 | openssl x509 -noout -text | grep 'DNS:'
2. If the target website is a virtual host (shares the same IP with other websites) then the bad guys just have to watch the traffic, because in order to offer the correct certificate, the server first needs to know where you want to go. And because you cannot have a TLS session without the certificate, your client sends out the server_name in plain over HTTP first to tell the server which certificate to send back.
3. Thanks to OCSP (not stapled), the browser will send a request to the CRL-URL of the CA via HTTP (not HTTPS) so it can be seen in plain text in your traffic.
4. If you use Firefox, the bad guys just need to reply to a DNS query for use-application-dns.net with NXDOMAIN to disable DoH (for now).
So, to sum it up, you get no additional privacy, but less. Having 99.9% of all DNS requests centralized will sooner or later get the attention and interest of not only data-analysts and advertising networks, but also governments.
DoH theoretically protects you from forged replies, but only if you really trust Cloudflare. However, DNSSEC was specifically designed to let the zone-master sign the reply and is already fully functional and available.