They can only see the DNS requests, potentially. That's the only thing that's still not encrypted. So if you, for the sake of argument, go to PornHub, Roku will know you watch porn. They don't get the full URL (web address) -- that part is encrypted along with the page if the page is using HTTPS protocol. If using HTTP protocol, however, they can get the full URL as well, plus cookies and potentially page content.
From your selection of websites they can also fairly reliably infer your age, gender, income level, level of education, health problems, etc. And that's before they correlate you with other data sources. They can also tie this to your public IP address, which doesn't change very often. That way if someone else is tracking you (and you can bet there are hundreds of companies doing just that, though not from within your house), they can simply join this data by IP address and augment your profile with even more relevant details.
Moreover, if you're using Google DNS or Open DNS or your network provider DNS, whoever provides your DNS has a full list of the domains you've visited (but again, not full URLs), and can use it for ad targeting. The only popular DNS service that has publicly committed to _not_ logging the requests is CloudFlare's
https://1.1.1.1/. That's what I use.
I'd chuck this Roku shit into the dumpster if I was you, and get an Apple TV instead. Apple is the only major tech company that emphasizes privacy and uses it as a selling point.