I'm wondering if the long and intensive cache and serve-stale settings in encrypted-dns.toml and unbound.conf is a good idea. Especially with regard to CDN's or sites like Youtube, which often change IPs for load-balancing (benefit for hoster and user).
Caching is nice and important of course, but the main goal of a resolver should be to hand over correct and current IPs.

encrypted-dns.toml

cache_ttl_min = 3600 // "1800" should be sufficient (even that is often too long)

unbound.conf

cache-min-ttl: 3600 // "1800" should be sufficient (even that is often too long)
serve-expired-ttl: 86400 // even if the suggested value per draft-ietf-dnsop-serve-stale-10 is between 86400 and 259200, again much too long in my opinion, personally I use cache-min-ttl multiplied by 2 or 3.
serve-expired-ttl-reset: yes // would recommend "no" (also the Unbound default). It's better to deliver none IP than an outdated (=invalid) one

Side note: if cache_ttl_error = 600 in encrypted-dns.toml is the same as val-bogus-ttl of Unbound, Unbound has a default of 60 seconds here.