Lol, well said 
Thanks a lot for taking your time to explain the details!
I see I had a misconception about the priorities - thanks for pointing this out!
Re item 1 (simple DNS interception):
Indeed, there was no any jump to WGINTERFACE.
Yes, simple DNS interception is working for both wan and WGINTEFACE.
Item 2 assumed all good and did not test.
banIP rules have iifname and oifname clauses. So, for item 3, I added WGINTEFACE to banIP:
uci add_list banip.global.ban_ifv4="WGINTERFACE"
uci add_list banip.global.ban_dev="WGINTERFACE"
uci commit banip
service banip restart
banIP now lists:
And, yes, DoH blocking now works for WGINTERFACE, too.
Thanks a lot, once again!
Re this:
I still want to do some more tinkering. banIP blocks by IPs, not by names, so
nslookup doh.dns.apple.com
run on a client returned a good number of IPs, and not all of them are in banIP DoH blocklist.
Probably, will look to see if there are any filters to add to AGH.