There isn’t a technical protection. But there’s widely different policies.
Blocking.
But monitoring is also a different point. The capability of monitoring all DNS would be moved from the user’s ISP to cloudflare or similar.
I didn’t research if there are already specific examples where Cloudflare specifically is blocking any webistes however this is about the shift of the power balance through such a change.
A bit theoretic and about principles but not too theoretic.
For example, a different but for this discussion compareble US based organization, Let’s Encrypt was forced to block a website for residing in a territory (Donetsk) that the US government decided that shall be ineligible. Source: Dnr-online.ru certificate was revoked - Help - Let's Encrypt Community Support
Now the contents of the variable of the specific blocking here (US, Let’s Encrypt, Donetsk, the website) don’t matter for the general principle.
Something similar might happen with cloudflare or any other default selected DNS provider.
Something (DNS) with default settings (user default DNS) would be functional while the improvement by Kicksecure (changing default DNS server) would be moving that power to block away from their local region to some other region.
I don’t know why but could this be the reason why Firefox enabled DOH (DNS over HTTPS) for US only and not globally?
Indeed, this is unrelated and I wouldn’t mention this here since that would be a conscious, manual user opt-in.