It's more complicated than that: using unbound is basically trusting your ISP with your DNS data (it's not encrypted so it can MITM). Using an upstream resolver doesn't necessarily mean you give up on privacy.
It may actually be more private to use a public resolver (with DoT or DoH of course) that will know your IP address but maybe not directly tie it to your identity (like an ISP does). Also, imo they generally have better privacy policies than ISPs (not that I trust those but still).
The next more private options include using DNS over Tor or Oblivious DNS (https://blog.cloudflare.com/oblivious-dns/). Those options are better for privacy, but I don't see them are default (at least for now) as they imply some slowness (Tor) or are more opinionated (ODNS).
Even after all that, your browser will leak the SNI header in clear-text (eSNI isn't popular yet) so your ISP can still get the precise name of the site you want to visit.
> a SSL connection is transient and you can't replay it to show that Google's certificate digitally signed that email in GMail.
Actually, there the TLSNotary[1] protocol that allows you to use the https connection as a means to sign the web content your browser received.
There is the PageSigner browser extension that uses TLSNotary to sign webpages.
However, it seems like this project wasn't given a lot of love this last few years.
Good news is version 2.0 has been released just a week ago[2], with support for TLS 1.2, but with a major drawback for me: it now trusts a server generating the TLS keys for the notarized page. Sure, it's an "oracle" server not controlled by PageSigner but still operated by Amazon.
I want to use a one-time pad with a friend. That requires generating a fully random file that I then need to send to my friend (physically).
I don't have an Ethernet port on my machine to send the file on the wire, and I don't want to rely on weaker cryptography (WiFI, aes) to send this file (basically, everything is weaker than a one-time pad).
I also don't want to leave undeletable traces of my one-time pad on a flash drive.
So what's left is the actual screen of the device, provided I don't have any hidden cameras where I live.
I could use a hard drive and then shred the secrets, but nothing is proven regarding the actual deletion of the files, and QR codes are much cooler!
It may actually be more private to use a public resolver (with DoT or DoH of course) that will know your IP address but maybe not directly tie it to your identity (like an ISP does). Also, imo they generally have better privacy policies than ISPs (not that I trust those but still).
The next more private options include using DNS over Tor or Oblivious DNS (https://blog.cloudflare.com/oblivious-dns/). Those options are better for privacy, but I don't see them are default (at least for now) as they imply some slowness (Tor) or are more opinionated (ODNS).
Even after all that, your browser will leak the SNI header in clear-text (eSNI isn't popular yet) so your ISP can still get the precise name of the site you want to visit.