I guess you're right about that, but it still feels a bit weird that a third party can just allocate a private key and a valid certificate without the actual owner of the domain requesting it.
If you've given up control of the DNS on your domain to a third party, they can do whatever they want with that domain - they ultimately control email, web, and any other services on that domain. so if you use cloudflare, you've already given up that control and trust them completely with your domain.
This is what makes me hesitant about using cloudflare or recommending it to clients; you give up a lot of control over your data and domains.
That's always going to be true at some level—even if you're hosting DNS yourself. I self-host the DNS for many of my domains on a Linode VPS. If Linode decides that they don't like me (or they just make a mistake) and re-allocates my IP addresses to someone else, they could set up their own DNS server to direct my domains however they please. However, I trust Linode to not do this, based on their track record and reputation.
You're always at the mercy of at least one vendor, unless you own your own block of IP addresses and advertise it via BGP (and even then, someone could make their own malicious advertisement of your IP block).
You can't eliminate the risk. At some point, you have to set the threshold for what risk you consider acceptable. For many organizations, using Cloudflare provides enough benefit to outweigh the slightly higher risk of something going wrong.