mask.icloud.com and mask-h2.icloud.com blocking issues

I noticed some sites weren’t loading, or seemed to hang a lot while loading while using an iPhone, so looked at the devices blocked list in FWG. I noticed mask.icloud.com and mask-h2.icloud.com were getting blocked a lot by the Firewalla Apple Private Relay list (I have it enabled, domain only). But, Apple Private Relay is disabled on this phone. If I pause the blocking rule, they still get blocked by the DoH services block list (domain only). Once I disable both, browsing seems fine…but I want these block lists enabled. I did notice if I keep these rules enabled and I switch my phone to LTE it switches over to Wireguard VPN as I’ve configured, and even though the VPN client in FWG has the exact same rules I don’t see these domains pop up in the blocked list. I know Apple Private Relay is a type of VPN service itself, so maybe when I enable a VPN it can’t also work, but it appears to me that Apple is forcing some DNS queries over Apple Private Relay even if I have the feature disabled on my device! Yikes. I’m using DNS Unbound in FWG. Might be more of a question for Apple, but thought I’d see if anyone else has seen this.