The added overhead of HTTP over TLS (HTTPS) versus raw TLS is negligible. You can write an HTTP server as a shell script, it's so simple. I've done it. It's barely more complicated than finger if all you're implementing is GET.
It's easier to add a "get" string and a blank line to a request than to get every random firewall to open another UDP port. Yeh, wearing my network administrator hat I'd rather they do things technically correctly, but as desktop support pleading with Mordac the Preventer upstairs in corporate IT I've given up... run everything over HTTP.
As for the US government writing an NSL to cloudflare... that gets them most of the juicy stuff even without DoH, given even people like 8chan used (now that's past tense) them. And the guy who's doing router injection on your local Wifi network can't do that. Nor can your hotel or airport or hospital or employer.
On an evil scale of 0 through ActiveX on the Desktop, this barely flips the needle.