It doesn't really matter for a blog without auth, but when you are using cloudflare's https, the connection is not encryptes between CF and GitHub, so it's not end to end encrypted.
I recommend simply migrating even if you keep the DNS itself on cloudflare. It's a good exercise if nothing else.
It can be encrypted if you're using Full SSL on Cloudflare[1], but it's not authenticated, meaning anyone actively MITMing the connection between CF and GH could easily read and change the traffic. That said, it's not any script-kiddie who can MITM a connection between two DCs, so I think it's hardly a grave threat.
I think the only real gain is not allowing CF itself to see who is accessing your blog.
Ah, ok. But how so? You can get a LE cert as long as you can serve a file in the correct URL, or set a certain DNS record. I don't see why proxying would prevent that.
Oh, of course. I was thinking of Let's Encrypt's DNS-based authentication since that's the only thing I use nowadays (though of course Github isn't using that). Ignore me.
I recommend simply migrating even if you keep the DNS itself on cloudflare. It's a good exercise if nothing else.