You are correct, it is quite easy to change the MAC address to something that's not blocked, that's why I suggested switching to an allow list instead. It becomes more difficult then, because then you need to know the MAC address of a device that is on the allow list. Even then that only works if you spoof the MAC address of a device that isn't presently accounted for on the router. Not sure what would happen if the router detected two devices attempting to register the same physical address.
If you want to get really spanky and keep devices off your network, set you network up with static IP addresses. This is what I've done. Then when you set up the IP range, don't use the common 192.168.XXX.XXX range of private IP addresses. Use the 172.16.XXX.XXX or 10..0.XXX.XXX. That way it's less likely that someone will guess what IP address range you are using. With a static IP arrangement, the person trying to get on you network via say wireless, has to know your password, then they need to know that you aren't using DHCP, then they need to know what IP address range you are using so as to pick one that they can use, then they need to know the IP address of the router (Gateway). It also helps if they know the actual subnet, but this is easier to guess than the rest. DNS addresses are easy to get, they can use Googles or OpenDNS or some other free DNS service. This takes some networking knowledge to penetrate. It also is a pain to set up initially. Once done though, you'll find managing the network is much easier. It also helps keep my kids friends off of my network unless they come see me. My kids can give them the password, but it won't connect for them until I assign them an IP address. I don't show them how it's done, I do it for them.