Can't you do mac filtering on your router at the very least?
Why not install root certs on all your kids' devices and then force them through your home proxy so you can run content classification and proactively block and get reports of what you've blocked? A little privacy-invasive, but if your kids are young enough, it makes sense to get alerts when they've attempted to access boobs or gore so you can have a convo about it.
The easiest route here in my opinion aside from DNS services that claim to block adult content would be to use a Squid SSL Bump proxy. It's along the lines of what you are suggesting and requires installing a self signed CA cert on the client but gives you centralized management of what domains, URLs, file types, times of day, URL patterns are allowed/permitted as well as a memory and disk cache to reduce bandwidth. This [1] is a really old example based on Squid 3.x but this concept has improved a lot in Squid 6.x. Sites that still do public key pinning there are a handful will have to be added to Squid's SSL BUMP exclusion. Ignore the term SSL, it's TLS but they kept the term the same.
Why not install root certs on all your kids' devices and then force them through your home proxy so you can run content classification and proactively block and get reports of what you've blocked? A little privacy-invasive, but if your kids are young enough, it makes sense to get alerts when they've attempted to access boobs or gore so you can have a convo about it.