You are missing SNI suffixes necessary for hostname verification.
Also note that DNSSEC is disabled by default due to compatibility problems, and if your DNS provider validates DNSSEC on their side like Google does, then enabling local validation is essentially overkill, just increasing latency.
Personally, I prefer a setup like this:
sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/00-custom.conf << EOF > /dev/null
[Resolve]
DNS=8.8.8.8#dns.google
DNS=8.8.4.4#dns.google
DNS=2001:4860:4860::8888#dns.google
DNS=2001:4860:4860::8844#dns.google
DNSOverTLS=yes
EOF
sudo systemctl restart systemd-resolved.service
Interaction with NetworkManager is redundant in this case, so disabling it prevents any possibility of DNS leaks and helps clarify otherwise ambiguous status output.