“If they want to get you, over time they will.” Edward Snowden.
A Tor circuit consists of 3 relays. A bridge/guard relay, middle relay, and exit relay. All of your DNS queries are encrypted via your Tor circuit. Only the Tor exit relay is able to decrypt your DNS queries.
A VPN circuit consists of 1 server (or 2-3 servers if you're using multihop). All of your DNS queries are encrypted via your VPN circuit. All of the VPN servers are able to decrypt your DNS queries.
With Tor, you're anonymous. Whereas with a VPN, you're pseudonymous.
But, why? A VPN is centralized, whereas Tor is decentralized. Your VPN provider is a Man-in-the-middle (MITM) to your VPN circuit.
For plausible deniability, you'll want to set up a Tor bridge/guard relay over your VPN.
By doing this, you'll generate white noise (cover traffic) so your VPN provider won't be able to distinguish your subscriber traffic from other subscriber traffic, providing you with better anonymity.
user_pref("network.trr.mode", 3); user_pref("network.trr.uri", "https://doh-jp.blahdns.com/dns-query"); user_pref("network.trr.bootstrapAddress", "18.104.22.168"); user_pref("network.security.esni.enabled", true);
All of your DNS queries will be encrypted via your DoH resolver, over your VPN. Only your DoH resolver will be able to decrypt your DNS queries.
As for Android, you'll want to install NetGuard for your firewall, WireGuard for your VPN, Orbot for your Tor bridge/guard relay, Bromite for your web browsing, Silence for your secure SMS/MMS messaging, and Syncthing for peer-to-peer file sharing.