It wasn't worth it, even though I solved it in the end.
My devices were intermittently not going through the PiHole like I expected, so at random times Facebook and Twitter would magically load again.
This started a wild goose chase from changing IPv6 settings to some router shenanigans, and then installing all sorts of firewall and IP related packages that didn't come with the DietPi.
The changes eventually fixed my phone, and broke the desktop entirely. Literally all requests on the desktop bypassed the Pi.
Then I decided to take a closer look at the PiHole's query logs. Lo and behold, apparently all my desktop queries ended in SERVFAIL replies. It was, in fact, not PiHole's fault.
The moral of the story is to frequently run time sync on your DNS resolver and devices, because unbound is very dependent on timing for DNSSEC to work. :) The week isn't even halfway done and I'm dying over here.