To be fair, Cloudflare don't intercept TLS unless you, as a customer of theirs, specifically ask them to. You can use Cloudlfare for lots of services without having your TLS traffic intercepted by them.
Maybe not TLS, but Cloudflare does mirror and intercept traffic meant for third party non-customer domains when a customer domain decides they want to use cloudflare's AMP service. This is done in the name of 'faster' access. But really it's just cloudflare mirror your domains and serving them up so you never see the hits coming from cloudflare user domains with AMP enabled.
