1. Use a browser extension that throws a warning on all unicode domains (maybe even with unicode highlighting). Drawback: Needs to be done per-device.
2. Let your pihole MitM all https traffic with a certificate you do NOT trust (maybe create one per domain, so you can add it to the trusted list); if the connection is over http, upgrade it to https (if the server doesn't speak https, proxy it). Drawback: It's much more complicated, and if your bank happens to be called e.g. "Bank of Zürich" you still need to take a look at the IDN to determine if you're on the right website (or add an exception).
Modification of 2nd idea. Run two dnsmasq servers: one which would do resolving and listening on loopback interface, and other listening 53/udp with no-resolv, whitelist of IDNs and filtering rules to pass normal and block other punycode DNs.
