Complete Network blocking
Could there be an option to immediately block all DNS requests (essentially doing a complete network block) except to NextDNS (so you can still log in and unblock) in case of an emergency eg. viruses or ransomware spreading or suddenly high internet traffic from your home network. There had been cases where the only way was to login and turn off the internet link essentially also locking yourself out.
Install https://github.com/hjk789/NXEnhanced, create a new config, block all TLDs then add the allowlist for NextDNS domains, and export the config. When you want to block all DNS requests, just import that config to your current config (after backing it up first), then restore from the backup when you're done.
This obviously only works against malware that somehow still honors OS/router DNS config. I doubt it, making their own DoH client is easier than ever, and since you still whitelist NextDNS domain, they can even make a request to unfiltered NextDNS config.