Do you have a different recommendation then? The only non encrypted DNS requests in this setup will the one made by the router itself if it can't reach stubby, however, this situation is required if you are using the install to RAM option.
Now, if you install stubby normally, in a persistent way, I suggest that you set 127.0.0.1 and ::1 as the only static DNS servers in the network configuration.