The companies like 23andMe can do anonymous tests. They can even sell "gift cards" for cash (or bitcoin, for digitally inclined). Don't deliver kits, let them be picked up without asking for an ID, just by the gift card number. As long as the test results are not linked to a specific address or name, it's fine.
They will still have clues about the state and the city and the IP address of the person. It's enough to do whatever research they may want to do with aggregate data. It's not good enough to sell this data to insurance companies and advertisers.
GDPR requires consent for the processing of the personal data. Displaying an ad per se is not regulated by GDPR, and does not require consent. Though personalization of this advertisement requires processing of the PII, and thus it is supposed to be regulated.
Facebook UI is full of dark patterns, but it is possible to withdraw consent through settings: www.facebook.com/ads/preferences/
Saudi Arabia is a US ally, so family region block against them is unlikely. Even if it is a country that tolerates and promotes open slave trade (look up #maidsfortransfer on BBC).
What it shows is that it's risky to rely on a "cloud"/subscription service offered by a company from a different jurisdiction. In particular, if the service provider is a US company, it's a red flag. If it's Chinese, it's a red flag too.
Round-robin and privacy do not dwell well together. Like mike-cardwell pointed out in another comment, it just distributes the same information to more parties.
As there has to be at least party which will know the request, some information will be leaked. But what can be prevented, is giving "unrelated" requests in the hands of the same resolver. Few of the request per se are interesting, the combinations of them allow to build user profiles.
The policy should not be round robin, but somehow based on the domain itself, so that all requests about the same domain go to the same resolver, but to nobody else.
An even better mechanism would take into account who is the owner and the controller of the domain. So that requests about, let say, facebook.com and fbsbx.com land at the same resolver, but github.com and microsoft.com by another.
this is more or less what happens if you have an recursive resolver. in most cases your queries will be seen by the same network that will see your traffic afterwards anyways. only the TLD nameservers will somewhat occasionally depending on the TTL know which network you are about to enter and they are arguably more trustworthy. I think about this way: i already trust whichever infrastructure provider my endpoint uses and the choice of nameservers is an extension to that.
The soul craves for what's not easily attainable.
Commercial transactions are all the same.
Feasibility is sweet but one-dimensional.
There're things you can buy, and things you cannot.
You cannot buy a different self.
Politics, volunteering, social games, arts and sports
are the new frontier.
And we act to define what we are.