Few guidelines here.
Decent router with dual core at least. Main router doesn't even have to require Wifi if you have decent APs to provide coverage. (and this may be preferable if your cable/vdsl/fibre comes into house in awkward place.)
Decent switch with VLAN capability (with POE if you can for powering dedicated APs)
Some decent APs. (Ubiquiti but make sure you pick a stable firmware or stuff breaks. Bonus is you can flash it with OpenWrt if you get fed up of Ubiquitis lack of QA)
I'd also suggest reading both of the following articles.
^this. Absolutely this. Small steps and rollback if required. Also personally i separate my 2.5G and 5G wifi SSIDs. I get better coverage as with dual band it would fall back to the "stronger" but slower 2.4G when i was at range from the AP.
Have a look at AdGuard Home. It does encrypted DNS internally. No need for unbound or other plugins. And also provides filtering and client settings.
Thread there for manual installation on router or you can use the opkg version which is detailed on the wiki here.