Excellent analysis, which I wholeheartedly agree with.
As distribution default:
Yes, let’s go for the feature, which can be implemented reasonably reliably. And indeed, let’s not pick a specific third-party DNS provider or invent a complex user interface.
Right. So DNS won’t be torified by default in Kicksecure. As per:
Yes.
The decision is made.
Right. Next step is implementation. The only blocker now is either getting unbound fixed, finding another secure, capable DNS resolver, if one exists or some other workaround to make unbound reliable as you suggested.