The DNS resolution is done by the exit node. Once you go to foo1.com or foo2.com after the resolution you are still going to separate IPs and subject to the same benefits. There's really nothing to compare this CloudFlare service to except just like an HTTP API as an onion service (or bind or whatever).

There is safety in numbers accessing the CloudFlare service. It helps reduce traffic analysis attacks that could otherwise occur on exit nodes and the exit node's possible-non-authoritative resolver. Because correlation between the circuit to CloudFlare's resolution and the exit node's site access is a bit harder. Granted once you enter the HTTP world and ask that second level domain to start the TLS handshake, they can see where you're going anyways so it might not matter. But it can prevent you from being poisoned by the exit node's DNS resolver. It just removes one layer of trust away from the exit node.

Let's say you set this up with the Tor Browser, all your DNS resolutions are done using this onion, then they're all linkable--whereas with the default they're unlinkable since two different circuits were used for different first-party domains. That's the point.

I don't think that's much of a problem considering it's simply the DNS resolver. Linkable might be a problem if the site you want to reach is the site you want to visit.

On the other hand, I'm sure this is fixable in certain ways, just needs patches in the browser/proxy.

I don't think there's any reason you can't have both: for each site have a new circuit, and make a connection for that DNS resolution only, on that circuit or a separate one, using Cloudflare.

Doing so simply helps traffic analysis. It's how tor works, no flaw involved.