Not really accusing them of anything, but CF is a giant vuln in how you'd expect TLS to work. TLS is supposed to guarantee that data between your browser and the web server is encrypted in transit, but with the CF business model there's a very convenient decryption/re-encryption step right in the middle of that.
Infiltrating CF is far, far easier than any of the other TLS-snooping methods (breaking the encryption, generating a fake cert via bad CA and intercepting, etc); it's not ridiculous to think the bogeyman-du-jour probably has fingers in CF (with their knowlege or not, doesn't really matter), and it'd be irresponsible to assume that TLS traffic going through CF is any more secure plaintext.
If you rely on any third-party for data processing/storage, you're accepting some risk of them being compromised.
If you use CloudFlare/Akamai/Cloudfront/etc. as a CDN, a hacker could view your site's traffic.
If you use G Suite/Microsoft 365/etc. for email or document storage, a hacker could access your corporate documents and communications.
If you use EC2, Azure, or GCE, a hacker could access your storage buckets or dump your VM's RAM.
It all comes down to your threat model. Is your threat model such that you absolutely can't trust any third party with your data? If the answer is "yes" then you should completely self-host and not use a CDN or anything similar. (I.E. an email provider that specializes in providing services to whistleblowers/political dissidents should definitely not use CDNs or public cloud providers.)
But for most businesses it's an acceptable risk, especially since these giant tech companies probably have better security than they do themselves.
For anything but the smallest website, the first server a TLS connection hits is not going to be the end point of the connection. There will be caching, proxying, load balancing, etc, happening, and that will often result in connections that leave the datacenter. There will be decryption and rencryption (hopefully!) happening many times.
I don’t see why CF is any different than these other processes. I am also confused as to why you think CF is so much easier to infiltrate than say, a CA.
Do you think the same about Amazon's ELB (and it's Google/Azure equivalents)? They all are set up by the site owner to sit between user and server and decrypt TLS.
Infiltrating CF is far, far easier than any of the other TLS-snooping methods (breaking the encryption, generating a fake cert via bad CA and intercepting, etc); it's not ridiculous to think the bogeyman-du-jour probably has fingers in CF (with their knowlege or not, doesn't really matter), and it'd be irresponsible to assume that TLS traffic going through CF is any more secure plaintext.