As best I understand it, running a private caching DNS server is the only guaranteed increase in privacy for DNS. That server still has to reach out to the net the first time a request is made, but will resolve all subsequent requests locally. DNSSEC to a privacy respecting DNS provider like quad9 at 149.112.112.112 from your local DNS server. Mayhaps the best you could do for a roaming device like a phone is to run a decent VPN with an option to prevent DNS leaks.

Is there any privacy advantage or security concern over them ?

This is more of a philosophical question than anything. If you trust that they’re not using your data for anything nefarious, I really advocate for RethinkDNS. It’s a really great service and truly fills a need between the clear-net and running your own DNS.

If you don’t trust RethinkDNS, etc, etc, to not do anything nefarious, then it’s time to setup your own.

I always use rethinkdns and block bypassed dns, so i think now every dns is routed through rethinkdns and its impossible to cause a leak. Is that a myth as no dns app can provide that much privacy or security ?

I wouldn’t say it’s a myth or anything, but to say you’re 100% secure from leak? Probably don’t trust that feeling. Keep it at 99% secure with 1% suspicion.

How effective is an application firewall than a network level firewall like nextdns ?

Like most security software, it depends on how you use them. If you use firewalls effectively, even software based firewalls can work exceptionally well.

may i use a application firewall or network level firewall ?

You can do both. Software based requires you to setup something on each device you want to firewall. Network is a blanket and will affect all of your devices with only one setup. But either works just fine–just depends on how much effort you want to put into it, I guess.