Securing DNS traffic

[Sad Clouds <cryintothebluesky%gmail.com@localhost>]

I've got some spare time on my hands, so I decided to educate myself on
how to secure DNS traffic. I have a small home network with various
devices and most of them use public (Cloudflare or Google) DNS servers.

It seems there are two main security enhancements for DNS:

1. DNSSEC - digital signatures for DNS records to verify they haven't
been tampered with.

2. DNS over TLS - encryption of DNS traffic for privacy. This goes via
port 853 and could be over TCP or UDP (DTLS), although it's not clear
to me if both TCP and UDP are always supported, of if it's mainly TCP.

I assume that NetBSD (and other OSes) libc simple stub resolver doesn't
support any of these options, so I would need to use something like
unbound(8) on a local network.

So I started looking at configuring unbound(8) and came across this
useful guide - https://calomel.org/unbound_dns.html

What I'm not sure about is this - unbound(8) has "root-hints" that
points to root DNS servers and it will handle recursive queries, but it
can also specify "forward-zone" where it can forward to Cloudflare or
Google recursive DNS servers. Both of these solution would resolve DNS
names. So which one of them takes precedence and under what conditions?
Why have both active at the same time? Is one option better/more secure
than the other?

Thanks.