If a device has enabled encrypted DNS with a profile or NetworkExtension app, that cannot be disabled by the network. This is equivalent to how a VPN that is configured by a profile or app cannot be disabled by joining a network.
However, both profiles and NetworkExtension apps are able to configure network rules to create exceptions for networks that should *not* use the encrypted DNS settings. So, a school network that requires insecure DNS could presumably block encrypted DNS (which would break connectivity for any users that had encrypted DNS enabled), and the users could if they consent add network rules to disable encrypted DNS on that particular network.
For supervised devices owned by a school, etc, a managed profile can be added to the device to configure the encrypted DNS server that the school chooses. On supervised devices, the profile can specify that the DNS Configuration cannot be disabled, thus preventing the user from using any other DNS. See:
https://developer.apple.com/documentation/devicemanagement/dnssettings
