It's possible your ISP is intercepting all traffic for port 53 and sending it to their own nameservers (which do send client subset) instead of you actually taking to cloudflare's 1.1.1.1 at all.
I don't know of any particular popular concrete instance, but why is it hard to believe? It's trivial to implement and would be brought to you by the same people who think serving ads for NXDOMAIN is a good idea.
That link was useful, thank you. I don't find it hard to believe technically, but it strikes me as a fundamentally different practice than what I'd head of before. If I request for traffic to go to a certain IP, I expect it to be sent to that IP. MITMing and manipulating that traffic is bad, but not delivering it at all is qualitatively different. I suspect it could be grounds for a serious civil or criminal action.
I have personal witnessed this happening with Wind-Infostrada in Italy. DNS spoofing was done through the ISP provided fiber modem/router though, not at the ISP level; if you actually changed the DNS servers on the router than it would send all your queries to those routers instead of the ISP ones.
I couldn't figure out if this was plain incompetency, an attempt to enforce DNS-based website blocking, or some programmer willfully implementing the latter with the former so that it would be reasonably easy to circumvent.
Also Italian residential providers really, really like to mess with NXDOMAIN instead returning a helpful error page with affiliate links instead. You might think you can imagine how much shit this breaks; you probably don't.
ISPs in several countries I've been to do this to blacklist "objectionable" sites (which apparently includes reddit now) at the DNS level. Turning on DNS-over-HTTPS solves that.
