>Is it better to access the root server directly, or to forward Unbound to dnsscrypt?
I think it depends on how much you trust the dnscrypt operator you're using vs how much you trust that your network traffic between you and the root server, then you and the TLD authoritative servers, and then you and the nameservers of the domain you're trying to fetch isn't being intercepted or tampered with.
DNSSEC is still not widely deployed, so that's not much help. It also only provides authentication of the data you're receiving, not privacy.
>Is it not better to set up a vps offshore, and forward all of your traffic through it, than using a dnsscrypt?
DNS leaks while using a VPN (which is what I assume you mean by routing through a VPS, although I suppose you could be using ssh forwarding or something instead) are common, so you'd have to make sure that's not happening.
Then, even if your DNS requests are being routed through your VPS what's happening on that end?
All of this depends on your threat model. What's your goal? To ensure the authenticity of the DNS information you're receiving? To ensure that your DNS requests are private? Both? Who are your adversaries? Malicious actors on coffee shop wifi? Your skiddie roommate on your home network? Incompetents/data miners at your ISP? MI5? GCHQ?