Interesting. I set an adblocking dns via DHCP and, as far as I know, the Roku respects it. Ads are blocked and I can see it failing to delivery telemetry in my dns logs (most persistent thing on the network).
I set a rule to catch outside dns to see if anything, the roku included, has been misbehaving.
Pihole blocks the basics for Roku. Things like logs ads etc. but there’s a lot more telemetry that they’re collecting. Here’s a hackernews thread about the topic and the associated article it references.
Not familiar with Rokus, but it depends on what your filtering. Mostly it's to block needless analytics tracking. I use a pair of PiHoles for much the same purpose.
One reason used to be to switch to a different region for Netflix, etc but I'm not sure if that still works, I haven't had to use a Roku in a long time.
Using the firewall to force dns because the services were stupid enough to rely on dns to determine location. You would use a (usually paid) dns service hosted out of the wherever the content you want was and get access to region locked stuff like the US netflix library from abroad. This worked because vpns were being detected and rokus dns was hard coded so assumed to be trusted.
I don't know if this still works because I no longer own anything Roku and Netflix's service hasn't been worth that kind of shenanigans for a long time. It likely doesn't work anymore.