Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
It comes down to the same line of reasoning that most people are “OK” with using cloud, be it aws, google, oracle, microsoft etc … Out of laziness and lack of expertise, basically sysadmins are dead. Otherwise it’s always a bad idea to offload anything on a third-party specially without transparency (pinky promise)
Badger DAO lost 120M, to this pinky trust. https://www.theblock.co/post/126072/defi-protocol-badgerdao-exploited-for-120-million-in-front-end-attack
Same issue however exists wirh domain name registerers, etc, hence even such a thing as ens.domains are much more trustworthy, and it’s much harder to exploit.