Back in the day ASUS were a high end OEM who catered to the server/workstation market and made very solid boards, like your experience with HH/SH products, that was a hell of a long time ago and a lot has changed. The current gen SH2 is probably one of the best for WiFi that any ISP currently supplies, it has 7 antennae’s, uses 4x4 5Ghz and 3x3 2.4Ghz at the same power the ASUS does and it’s design is technically quite good.
BQM can’t be done on the SH itself, no way to enable enable ICMP responses on WAN (how convenient). Workarounds exist, but they involve something having to respond to ICMP and that’s likely to be in the DMZ.
WiFi speed is interesting, I could saturate my connection over WiFi in g.fast (235ish back in the day), as I wasn’t keeping it, I never broke iperf out for local checks as any device I own that needs to move data fast is wired, wireless is for IoT and mobile devices. Realistically if you want fast WiFi, install decent AP’s on the top floor in a central location, anything else is likely already loosing coverage/speed due to sub optimal positioning. A decent AP isn’t much different in price to a BT disc, but it’s capable of (potentially) gigabit with the right client/conditions.
Granular control is easy enough with Pi-Hole handling DHCP and DNS, just turn off DHCP on the SH2 and Pi-Hole will present itself as the DNS server of choice, use whoever you want upstream, OpenDNS, CF, DuckDNS, Google etc. Pop-Hole runs well on any Pi ever sold or in a virtual environment.
VPN at a router level can make sense, but only with policy based routing so you don’t push everything via VPN, however you really want a router that can support hardware acceleration and neither the AC88U or the SH do. Incidentally, have a look at the non modem version of what you have and the update history... quite a few patches relate to exploits/CVE’s, I wonder why non of them have ever affected the modem wielding variant?
So where does that leave us? Well you could buy the non modem version of what you have now (it’s had firmware updates for exploits this month) and a MT992 modem, this way you wouldn’t need Pi-Hole and could just run OpenDNS for filtering, BCM will also work. I suspect based on what you’ve said that you would be pretty happy with this. I’d suggest flashing Merlin to it or another *WRT derivative, but other than a nasty habit of the WiFi/switch interface to drop and it being my least favourite brand in the industry, it’ll do a decent enough job. Before you do, consider that the AX-88U and AC86U both support hardware acceleration on the VPN side, which is a bit of a game changer compared to doing it in software, but don’t route everything over VPN, not unless you like online orders being flagged as potential fraud, playing cat & mouse with domestic streaming services etc. and things like the split payments function in PayPal disappearing.
If you want to go with a different approach, then a USG3 works well with the Unifi AP’s to give single pane management, but it’s IDS traffic analysis won’t keep up with your g.fast speeds, for that you are looking at a USG4Pro and by the time you’re upto that sort of price new, the UDM is likely a better shout as it includes the controller and AP function for only a little more. You’ll still need a modem.