PS: I also wonder why policy.STUB, which would be a good fit, disables
DNSSEC 🙁

.STUB also expects a resolver.

In 6.x we added forwarding of subtrees to auths.  I'm not sure it's been properly tested in combination with DS override for the subtree (you have a rare use case I think), but perhaps it just works.

A more complication for you might be that upgrade to 6.x is relatively complicated - lots change, e.g. rewriting the whole config.  https://www.knot-resolver.cz/documentation/latest/upgrading-to-6.html

--Vladimir