You're at the mercy of the hardware in all cases. You can't do anything without trusting some external party unless you make an apple pie from scratch, but reducing the number of parties needing trusting is usually a good security approach.
The hardware and OS in the case of DoH only gets the IP address for the connection. It's not horribly hard to figure out who owns that IP address, but it's definitely harder than just reading a domain name.
In the OS you need to trust (1) the OS vendor, (2) the client vendor & (3) any VPN app or HTTP intermediary that's integrated with OS network APIs.
In the client you need only to trust the client vendor.