The point of this is to have working DNS resolution for the router itself during boot and shortly after when dnsmasq and stubby aren't running yet (e.g. downloading blocklists for adblock, time sync, opkg stuff, ...).
DNS requests of the connected clients will still be going through dnsmasq and stubby, the settings are for the WAN interfaces only.
As soon as all services are running the requests made by the router will also go through dnsmasq and stubby. Plain requests will only be made if dnsmasq is not running but only for the router itself not the clients. The requests made by the clients will simply fail.
You can ofcourse also assign certain domains like "pool.ntp.org" to a certain resolver (like you did) to ensure a smooth boot process. But if you do that they will always be plain DNS requests since dnsmasq will not use stubby.
I also had issues with adblock failing to download some lists if it had to wait for dnsmasq and stubby to be running. So i switched to this config it at seems to work fine so far.
DNS requests made by the router during boot -> unencrypted
DNS requests made by the clients during boot -> failing
DNS requests made by the router when dnsmasq/stubby is up -> encrypted
DNS requests made by the clients when dnsmasq/stubby is up -> encrypted
You may also try to tweak the starting priorities of the services a bit to ensure dnsmasq / stubby are running earlier. But I don't see a need to mess with that.
If you really want to make sure all requests from within your LAN will go through the router, you can intercept connections to port 53 with iptables and redirect them (or block them outright).