I do warn about this in my thread. This is why the router is set to use one dns and then the clients use DOH via AGH.
(The reason you setup OpenWrt to use a different unencrypted upstream is so when it brings up your connection it can do NTP and updates as AGH will still be loading. Without NTP setting your router time / date correctly, SSL will fail and thus no encrypted DNS.)
There is also this https://openwrt.org/docs/guide-user/services/dns/adguard-home#bypassing_encrypted_dns_for_ntp for passing NTP unencrypted to the upstream if you really want to use AGH for router DNS and Client DNS. However the router really doesn't need to loop through AGH.
[/pool.ntp.org/]1.1.1.1
[/pool.ntp.org/]1.0.0.1
[/pool.ntp.org/]2606:4700:4700::1111
[/pool.ntp.org/]2606:4700:4700::1001