DNS-over-TLS forwarding to custom NextDNS fails due to (apparent) lack of SNI in knot-resolver

No, SNI should always get sent when hostname is set.