Pro-tip: have your DHCP server auto-issue your PiHole's IP as the DNS address — this makes all IoT and phones use your PiHole (unless secure-DNS or hardcoded). There are methods to make your firewall accomplish something similar (pfsense?) but I don't know how and DHCP is easier, at least for my network users.

My [now disabled] Honeywell thermostat had the most packet-sends (not data, just #packets). Wouldn't have caught it without my network defaulting to PiHole.

You also need to block outgoing UDP traffic to port 53 in your router, in case the IoT devices fall back to a preconfigured resolver. And even that doesn't 100% work because they can use DNS over HTTPS.

Best to just airgap the device.