The problem is that postbank.de uses name servers that send responses that are subtly untrue (bad type bitmaps in NSEC3) that cause problems for resolvers implementing an extremely aggressive version of RFC 8198 Aggressive Use of DNSSEC-Validated Cache. As far as I am aware, the only resolver that uses DNSSEC type bitmaps for synthesis is the open source Knot resolver, which Cloudflare uses for their 1.1.1.1 service. The problematic name servers are F5 devices used for postbank.de and other domains (the DNS violations tracker issue includes a number of Czech domains, presumably since Knot is a Czech product and is more commonly used there).
You are not seeing the DNSSEC records for any postbank.de domains from 1.1.1.1 because Cloudflare has disabled DNSSEC for postbank.de because of this incompatibility. Since it doesn’t query for the DNSSEC records, it cannot return them.
You can use any other DNSSEC-validating resolver, such as Google (8.8.8.8), Verisign (64.6.64.6), or Quad9 (9.9.9.9) to resolve these domains with DNSSEC records.
If you strongly prefer Cloudflare, consider opening a feature request issue for the Knot resolver to allow disabling the aggressive DNSSEC cache feature for particular domains without disabling DNSSEC validation entirely. Google’s resolver has this capability (see this example with even gorier technical details). and it is a poor operational response to disable the security features of DNSSEC (which are working for these domains) because F5 name servers are breaking the aggressive use of DNSSEC negative response cache.
Knot resolver has a few related issues already, but they are about fixing the aggressive negative caching, not enabling more nuanced operational responses.
If this reply can help or at least relate to this topic …
.de registry should support algorithm 13 if you wish to have DNSSEC with Cloudflare as Cloudflare currently gives us the values for DS record only with 13.
Similar what I have had for my Websites which were using ccTLD .hr (domene.hr / CARNet.hr) where it was the only supported as listed here:
3, 5, 6, 7, 8, 10 algorithms (without the 13!)
So, situation was that at Croatian .hr ccTLD (domene.hr / CARNet.hr) registry until August last year, it was not even possible to choose algorithm 13 and have DNSSEC enabled for .hr domains, if the domain was added to Cloudflare and we want to have it working as well.
Moreover, since the last year, in mid April when it was urged and finally adopted in August 2020 to support algorithm 13 for .hr ccTLD domains (it took me three and a half months to get an response and answer from them), works perfectly.
I recommend if it is possible via multiple ways - you as a private person, some organization, some other, some University or Faculty, urge them - .de ccTLD registry - to update it as soon as possible.
In case of a trouble, there is always someone else who can do the monitoring and other related stuff like DNSSEC validations, maintenance, anycast, for a TLD in Europe like Netnod and others.