Right. Doesn’t protect against the NSA but it protects against e.g. hackers snooping on unsecured WiFi or malicious actors creating a mitm WiFi access point to snoop on your traffic.
Sure. The intermediate network(s) could sniff the traffic (or the lines could physically be tapped). There could be a BGP hijack on the origin IP, or a DNS hijack if using a hostname as the origin.
But these types of attacks are a lot more advanced than a guy with a packet sniffer in a Starbucks, and will target different types of victims. I.E. if you run a small web forum, it's unlikely someone is going to perform a BGP attack to steal your users' passwords. And the types of ISPs between Cloudflare and AWS usually won't inject ads into HTTP traffic.
The NSA's MUSCULAR project was running physical taps on the fiber links that BigCorps were running between their own physical infrastructure. I'm sure they could find a way to get between CloudFlare the sites it terminates HTTPS for, if they really want to.
Most likely would be a VPS or VLAN bug at a place like Digital Ocean, Linode, etc, that let you spy on neighbor VPS traffic. Not that it happens often, but there are historical bugs to escape VMs and/or containers. Once out, you could sniff traffic for the whole physical box.
Or a router/switch exploit. Create a monitor port and dump the traffic wherever you want.
