It seems like your whole threat model is avoiding DNS poisoning, which is fine, but I fail to see how you can compare using DoH/DoT to a VPN.
so no one can even read which website you want to visit.
Except for the DNS provider (in your example, Google, so… yikes), the operator of the network you’re on (since the destination IP can be rDNS’d or WHOIS’d, or simply grabbed from the Host header if your browser still tries HTTP first). Any traffic that is not encrypted will be snoopable. Traffic volume and connection times to each destination can be analyzed.
By contrast, a VPN will also use secure (if you trust the provider ofc) DNS servers for your requests, plus making all of the traffic completely opaque except for “going to this server”.
no app, no account, no money required
You can also make your own, free VPN service with a little technical knowledge.
Many higher-end keyboards run QMK, which is a custom firmware you can modify to make all kinds of customizations to your keyboard. And the best part is that it requires no client software, it’s all on-keyboard