I have an entirely separate VLAN network in my house for "appliances". Any access to the internet from that network has to be explicitly whitelisted in my router.

pi-hole uses DNS, and will give out fake ip addresses based on the name lookup.

Unfortunately it is NOT a firewall.

Any device can easily do its own DNS like DoH (dns over https), nnot involve pihole in name lookups, and send package directly to the destination ip address.

I used to have a rule on my firewall to redirect all internal 53/udp dns traffic to my local DNS server for just this reason. But with DoH, there’s really not much one can do to ensure a device is behaving without completely null routing that device.

I have a Samsung TV similarly hobbled. I simply never gave it a network connection and it works fine.

For now at least this really isn't an issue. If and when these companies ever start requiring a network connection it's a different story.