Exactly. Unbound, Stubby would extend DNSMasq and allow encrypted DNS.
If you are using AGH you can do that internally from AGH and you do not need those external programs.
Interestingly it appears that NextDNS's client is somewhat lacking and current guidance is to use AGH as a proxy to using NextDNS as an upstream provider. So just install AGH, setup NextDNS as upstream, disable any filtering in AGH and you are done.
I have compiled an up to date OpenWrt and AGH install thread here :