Well, after a long day of wrestling with this, I got the speed fixed (back to 200-220Mbps).
After setting the modem to bridge mode and then back again to be a router, the speed was still around 60-80Mbps, in both cases. No idea why this happened.
A hard wired connection to the modem yields around 330Mbp (our internet ISP plan is a 300Mbps connection, so this really good). Wifi from the OpenWrt Archer was still 60-80Mbps at that point, which is terrible... It should be around 210, which is what it was just last night.
I had downgraded to OpenWrt v21.02.5 (because someone told me 22.03.4 might have issues on the Archer C7), but since then, out of curiosity, and since that report cited PPoE and I'm not using PPoE, I thought I'd go back to 22.03.4 and test the speeds. They remained a decent 210, so I stuck with 22.03.4. But then, today, switching the modem to bridge mode and back seems to have messed something up and I saw the slower speeds.
So I downgraded back to 21.02.5. Wifi speeds were still 60-90... Hard wired ethernet to the OpenWrt router gets around 320. So it has something to do with the wifi.
Then I reset the router config (stayed on 21.02.5) which allowed me to go through and re-set the settings and test as I went. I tested again and got around 150. Then I enabled software offloading on the firewall page and got 220, so I'm back to where I started. Wow, what an ordeal. I guess double NAT doesn't really matter, after all, at least in terms of speed, or I did something wrong in the process.
Hopefully this is helpful for someone. But the Pi does appear to be working well, as does Unbound and Banip.
Thanks again for all your guys' help.
One last question, though:
Now I see this on the main status page:
Protocol: DHCP client
DNS 1: 192.168.0.1
The network is announcing the DNS server (the Raspberry Pi IP address) to clients via the Interface -> LAN -> DHCP Server -> Advanced Settings, but should I also set the Pi IP address somewhere else so it sets DNS for the router itself - in order to change that "DNS 1: 192.168.0.1" entry to be the Raspbery Pi IP address? 192.168.0.1 suggests the router is using the modem/router's DNS, which is set to use our ISP's DNS, which I'd rather not use.