Allowing queries only from the local subnet is enough for the functionality of PiVPN.

From the man page of dnsmasq:
  --local-service
    Accept DNS queries only from hosts whose address is on a local subnet,
    ie a subnet for which an interface exists on the server. This option only
    has effect if there are no --interface, --except-interface, --listen-address
    or --auth-server options. It is intended to be set as a default on installation,
    to allow unconfigured installations to be useful but also safe from being
    used for DNS amplification attacks.

auto_install/install.sh

@@ -1475,10 +1475,10 @@ askClientDNS(){
 			# Then create an empty hosts file or clear if it exists.
 			$SUDO bash -c "> /etc/pivpn/hosts.$VPN"
 
-			# Set Pi-hole to "Listen on all interfaces, permit all origins" to allow dnsmasq
-			# to listen on the VPN interface as well. This setting matches what's suggested
-			# in the official guide: https://docs.pi-hole.net/guides/vpn/dual-operation
-			$SUDO pihole -a -i all
+			# Setting Pi-hole to "Listen on all interfaces" allows dnsmasq to listen on the
+			# VPN interface while permitting queries only from hosts whose address is on
+			# the LAN and VPN subnets.
+			$SUDO pihole -a -i local
 
 			# Use the Raspberry Pi VPN IP as DNS server.
 			pivpnDNS1="$vpnGw"