But since you are trusting Visa and it is trusting Cloudflare in this arrangement (and it's not very different from if you used a bulk hosted site and technically the bulk host could be eavesdropping) actually only one of those 4 options makes a practical difference.
The case where the backend is plaintext HTTP is different because a third party between Cloudflare and Visa could eavesdrop that silently (split fibre can make this utterly seamless for normal network technology) with no permission from either of them.
But in the other three cases either Visa, or Cloudflare, or both would have to agree to let somebody else snoop, which agreement they could make even if this was on-premises at Visa's own facility. That's not a technical problem, that's Visa betrayed you for whatever reason.
Arguably one of the options that would be "considered insecure by browser standards" is actually safer for Cloudflare sites, because you can't attack it from the Web PKI. Cloudflare Origin CA isolates you from such an attack, bad guys would need to attack Cloudflare to get a valid certificate from them, certificates from another CA would not work if it's locked down to Cloudflare Origin CA.
The case where the backend is plaintext HTTP is different because a third party between Cloudflare and Visa could eavesdrop that silently (split fibre can make this utterly seamless for normal network technology) with no permission from either of them.
But in the other three cases either Visa, or Cloudflare, or both would have to agree to let somebody else snoop, which agreement they could make even if this was on-premises at Visa's own facility. That's not a technical problem, that's Visa betrayed you for whatever reason.
Arguably one of the options that would be "considered insecure by browser standards" is actually safer for Cloudflare sites, because you can't attack it from the Web PKI. Cloudflare Origin CA isolates you from such an attack, bad guys would need to attack Cloudflare to get a valid certificate from them, certificates from another CA would not work if it's locked down to Cloudflare Origin CA.