I have an update on my situation.
So on latest snapshot (v4.6.0) which I tried, the devices are working in a fashion.
So under the UI > Network > DNS settings on both 4.5.16 and latest snapshot 4.6.0 the "Encrypted DNS" settings cause the NON policy routed DNS over the VPN interface. I have checked this multiple times with the same results.
On v4.5.16 if you enable adguard home (which then makes the Network > DNS settings disabled) whatever upstream servers you set in adguard home, be it encrypted or not they will all go out via the VPN interface.
On v4.6.0 snapshot with adguard home enabled and the upstream set to non / encrypted DNS, the NON policy routed devices are going out via WAN DNS (local servers) which is correct (both IP and DNS are located in the same country).
With v4.6.0 you can override the VPN DNS settings on the Network Page, all though it's says "Adguard Home is enabled and the router will use the DNS servers produced by Adguard..." You can still toggle on "Allow custom DNS to override VPN DNS" which actually then can cause leaks on the VPN as ipleak will show a mixture of DNS results from wan and VPN - so it might be best if the toggles are greyed out and not allow to be toggled.
So just to sum up
V4.5.16 - current stable. Both gui Network > DNS and adguard home will bypass wan DNS and use the VPN DNS gateway for devices that should NOT be going via VPN if a wireguard client is running (if using encrypted DNS settings on the gui or using either settings on adguard) resulting in a ISP WAN address but a VPN DNS results * using policy based device routing
V4.6.0 snapshot (05.06.24 version DD/MM/YY) will do the same as 4.5.16 in regards to the Network > DNS settings (so still buggy), if they are set on encrypted DNS then devices that should NOT be policy routed vis VPN will have a WAN IP but a VPN dns result. If however you turn on adguard home (which disables the gui Network > DNS) then the policy routing works correctly, just like it does if the Network > DNS is set to manual. I can then add DoT DNS (or unencrypted servers) on adguard home and can confirm that DNS is going via DoT and via the correct interface for NON routed clients. Any client going via the VPN shows the correct VPN IP and DNS country flag.
All these apply to the VPN client * using policy based device routing