It's pretty unusual for ISPs to do this. But Spectrum is big enough that it's a still a valid concern.
Especially now that more and more people are using mobile networks from people like AT&T and Verizon, and these companies are effectively scum of the earth.
The real solution is to have the OS itself deal with DNS privacy concerns, not the browser. Localhost DNS resolver with DNSSEC enabled that will bypass the default DNS settings and go out to 'trusted' DNS servers when DNSSEC fails. Maybe even use DoH if ISP blocks normal DNS traffic.
From my understanding there is no reason a OS level resolver library can't support DoH, I am surpised we haven't seen whatever Linux uses add support for it. Or maybe it did and I missed it.
Just a reminder that DNSSEC doesn't do much of anything to protect Internet privacy --- all it does is sign queries, it doesn't encrypt, and the signatures are with keys effectively escrowed to the owners of the TLDs (most frequently, world governments).
I do not think a full local resolver is necessary. E.g. stubby [0] can be set up to use a remote resolver via DNS over TLS (simpler than DoH, less of a hack, all the same crypto guarantees). That remote resolver can be CloudFlare, Quad 9/101, or self-hosted unbound instance. Then only the remote resolver has to worry about caching and DNSSEC, etc.
Especially now that more and more people are using mobile networks from people like AT&T and Verizon, and these companies are effectively scum of the earth.
The real solution is to have the OS itself deal with DNS privacy concerns, not the browser. Localhost DNS resolver with DNSSEC enabled that will bypass the default DNS settings and go out to 'trusted' DNS servers when DNSSEC fails. Maybe even use DoH if ISP blocks normal DNS traffic.