pi-hole uses DNS, and will give out fake ip addresses based on the name lookup.
Unfortunately it is NOT a firewall.
Any device can easily do its own DNS like DoH (dns over https), nnot involve pihole in name lookups, and send package directly to the destination ip address.
I used to have a rule on my firewall to redirect all internal 53/udp dns traffic to my local DNS server for just this reason. But with DoH, there’s really not much one can do to ensure a device is behaving without completely null routing that device.
Unfortunately it is NOT a firewall.
Any device can easily do its own DNS like DoH (dns over https), nnot involve pihole in name lookups, and send package directly to the destination ip address.