that things like DoT/DoH can not be used by the captive portal client.
(I just want to make the assumption explicit. I'm not complaining about it)
That's not really an assumption - the fact that the captive portal client can't do DoT/DoH is mostly true today, because unless the portal is open, 443 and 853 are likely to be blocked. By and large, DoT / DoH clients probably already know not to attempt them on captive portals.