How is Cloudflare any different from a cloud service provider like AWS, Azure, Google Cloud, Linode, Digital Ocean, etc?
Those are also 3rd party companies who terminate TLS sessions on your behalf and thus have access to your private keys. Seems like they could secretly decrypt and copy your traffic at least as easily as Cloudflare could. Even leased managed hardware requires you to trust the company running the hardware for you.
You have to go all the way to installing and running your own hardware in a locked cage at a data center to even theoretically exclude all 3rd party access to your private TLS keys.
And yes, intelligence agencies would be incompetent if they haven't already implemented methods of penetrating CDN providers, or working on doing so. All of them, not just CloudFlare.
Among other things, it's much harder to get caught in interception on an MITM box. The user never has any kind of real visibility into system. One can also easily force users onto CDN/mitigation services with a simple DOS attack, it's a lot harder to get a target onto particular hosting.
Those are also 3rd party companies who terminate TLS sessions on your behalf and thus have access to your private keys. Seems like they could secretly decrypt and copy your traffic at least as easily as Cloudflare could. Even leased managed hardware requires you to trust the company running the hardware for you.
You have to go all the way to installing and running your own hardware in a locked cage at a data center to even theoretically exclude all 3rd party access to your private TLS keys.