Sure, so the passive attacker knows you connect to the DoH/DoT ip address and it leaks the fact that it is "dotprovider.secret", but not the query you send. Indeed SNI was necessary at first for webservers that serve multiple domains. ESNI solves that. I didn't see dnscrypt discussed while scanning the article. dnscrypt is built on plain UDP/TCP packets, very similar to original DNS, but with encryption. See spec at dnscrypt.info (Note also that there are "oblivious" querying methods that obscure the exact domain name you're querying from the nameserver. Offered by dnscrypt-proxy.) Afaict from your post, the emphasis is predominantly on the (E)SNI issue.