This is a suggestion, not an answer, because I don't have a setup where I could test it, but I think it's going to be too long to fit in a comment.

1. Back out the replacement of resolv.conf with a static file. This will route all DNS queries through the stub resolver provided by systemd-resolved.
2. Configure systemd-resolved to use DNS-over-TLS. [https://medium.com/@jawadalkassim/enable-dns-over-tls-in-linux-using-systemd-b03e44448c1c] has some instructions that look OK to me, and I see you started out this way to begin with.
3. Stop dhcp from adding the DNS server that your router is supplying when it configures the connections. Do this in the netplan file and run netplan try to enable it.

network:
  version: 2
  ethernets:
    enp0s10:
      dhcp4: true
      dhcp4-overrides:
        use-dns: false

I think after all that, DNS requests on the local machine will be sent to the local stub resolver in systemd-resolved. systemd-resolved will forward to the configured DNS servers using DNS over TLS. Assuming the VPN setup changed the default route to be on tun0, it shouldn't go over enp0s10.