The OS images are immutable beyond updates and are verified from a root of trust. You can't modify them. Even if there was no verification, you would be breaking delta updates by modifying the image used as the source for updates. Even without delta updates, which would eventually stop being available when you fell far enough behind, every update replaces the entirety of the OS and any changes would be gone after the first update. The OS moving the hosts file to data and providing a way to modify it isn't an appropriate approach since it's simply not designed for this purpose and works very poorly. Proper DNS filtering is the right approach when done well and is already supported.
Providing a custom DNS resolver via a VPN service app works fine. A VPN service app is responsible for providing DNS and can do that without actually routing traffic through themselves, meaning there's already a very efficient way to run a custom DNS resolver with anything you want like an alternate encryption approach than DoT/DoH, filtering the requests, monitoring the requests, etc. This can be a standalone app or can be part of an app providing support for VPN connections like OpenVPN, WireGuard, etc. It's entirely possible via apps already in a well implemented, reasonable way and therefore this doesn't need to be built into the OS.
There's also the Private DNS feature for a custom DoT/DoH resolver if you want to use an existing filtered DNS service instead of running an app providing a local resolver doing filtering and forwarding to another resolver.
You can also get other DNS-resolver-based features this way such as monitoring the DNS queries, changing certain results, using local DNSSEC validation or even doing recursive resolving instead of using a DNS resolver like Quad9 or Cloudflare if for some reason you want to directly connect to the root servers, TLD servers and authoritative DNS servers of each domain you use instead of having a resolver server between you with caching.
VPN service feature works fine for all this and doesn't mean you can't use an actual VPN. You just need an app supporting all the features you want, such as both loading DNS request filter lists and using a WireGuard VPN.