Unless the policy module allows to filter by listened IP, I will still need to use split instances: we don’t select on the server side which client is to use dns64 or not, but as an ISP, we leave the choice to the clients to decide which dns resolver they want to use (one of ours with or without dns64, or a third party).

That is possible, but with 5.x I probably wouldn't recommend it, as it's been left out of documentation (by mistake) and overall I don't have much trust in that part of 5.x policies.

But after you migrate to >= 6.x, I would recommend just having a single shared configuration.  And in views you can select dst-subnet paired with dns64 options.  Such deployments were taken into account when designing 6.x views.  https://www.knot-resolver.cz/documentation/latest/config-views.html#config-views

In 6.x it would probably also be harder for you to run multiple configurations at once on a single machine, so that's another reason to unify this when you migrate.

--Vladimir