I think there is already a lot of post and article explaining dot and dnssec and they serve different purpose. There is no conflict in using proxy-dnssec with dot. As many posts and articles already states, they complement each other. In simple understanding, dnssec is like ensuring the queries(lookup) is verified from root all the way to you but the queries data is not encrypt. Encryption of these queries data is by dot/doh protocol.
Now, noted that when dns providers states that they are dnssec enabled. It mean from root zone to them the dns is secured (verified) however, from them to us, if dnssec is not enabled (router), we will fail the dnssec test as the test is done by your side(router). However sites like
http://en.conn.internet.nl/connection/ and
https://dnssec.vs.uni-due.de/
They are testing between the dns provider u used and the root zone.
Site like 1.1.1.1/help are testing between you (router) and the site script used.
Now the difference between dnssec and dnssec-proxy is enabling dnssec without the proxy mean dnsmasq/stubby do the dnssec validation but with dnssec-proxy, it enabled dnssec validation on your router side by trusting dns provider’s own dnssec validation and forward the validation result to you and used as if you verified. That’s why the dnsmasq man (
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html)
Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
Meaning you need to trust the dns providers in their validation. I would assume those big dns providers players like Google/cloudflare/quad9 should be trustable compare to those private dns provider.