If you don't trust local ISPs the solution is not to put your eggs into the cloudflare basket which could then be plundered by the NSA fox.
Instead tunnel all traffic to some rented box in a jurisdiction of your choice and then run your own DNS resolver either in your home network or on that box.
Instead tunnel all traffic to some rented box in a jurisdiction of your choice and then run your own DNS resolver either in your home network or on that box.