Firstly, we do not use unencrypted connections, everything is done through HTTPS.

Then, the developers of the former DNSSEC-Validator said themselves they would not port their extension because of missing APIs in Firefox 57+. As mentionned in another comment, as far as we know, there is no way of crafting and executing a raw UDP or TCP packet in Firefox 57+. We are therefore forced to use HTTPS to perform all DNS queries through HTTP resolvers.

That being said, I agree using Google by default is not a good choice, and a choice that was made as a proof of concept. I am in the process of forking OpenDNS HTTP resolver to support reporting DNSSEC status, so you can self-host your resolver and use it with this extension instead of Google's.

But that self-hosted resolver will always be an option. The extension has to work on first run, for non-technical people, and must use a publicly-hosted HTTP-based DNS resolver. If you have any service that does that outside Google, I'll be happy to integrate it.