I thought we were talking about how hard it is to fix Firefox. This can be done on a budget - part of an afternoon - since it can be very easily managed with a plain old config file copied to all machines (at least until a couple of versions ago). With this gone you're left with Chrome. How would you make sure no user can use any one of the multiple options to abuse a non-managed Chrome and bypass this? Remember that your target isn't to have a browser that doesn't mess up filtering, it's to prevent students from using any (creative) means to access restricted material. And with Chrome there's one sure way to prevent those creative means. So don't answer, it will be GPOs.

And since your fix for DOH and DNS filtering is to uninstall the browser (!) when Chrome eventually implements it will make for an interesting conversation ;).