I don't get it - why can't the "right holder" who wants a site blocked drag Cloudflare itself to the court over this, just like ISP's are asked to do the blocking now?
They could but this would force people down the legal route vs. being able to easily filter on edge devices. Meaning ISP's and corporations that cooperate with requests vs. court orders would be out of the picture and block-lists distributed by firewall vendors become less effective.
This may get interesting in the corporate world where firewalls such as PAN and Fortigates are expected to block unwanted domains. Some companies also filter on internal DNS but may have to start blocking or intercepting MiTM DoH or just outright blocking the DNS "HTTPS" requests which is one documented way to disable ECH. [1]
Discussion for HAProxy [2] Hoping wtarreau chimes in
OpenSSL [3]
[1] - https://trac.nginx.org/nginx/ticket/2275
[2] - https://github.com/haproxy/haproxy/issues/1924
[3] - https://github.com/openssl/openssl/issues/7482