We just ran into this testing web filtering with Cloudflare DNS. You are correct that iCloud Private Relay bypasses the configured DNS servers, but there is another spot - the "Advanced Tracking and Fingerprint Protection" that is a setting in Safari (Settings, Safari, Advanced Settings.) It is on by default for the Private Mode browsing.