Sure. The intermediate network(s) could sniff the traffic (or the lines could physically be tapped). There could be a BGP hijack on the origin IP, or a DNS hijack if using a hostname as the origin.
But these types of attacks are a lot more advanced than a guy with a packet sniffer in a Starbucks, and will target different types of victims. I.E. if you run a small web forum, it's unlikely someone is going to perform a BGP attack to steal your users' passwords. And the types of ISPs between Cloudflare and AWS usually won't inject ads into HTTP traffic.
But these types of attacks are a lot more advanced than a guy with a packet sniffer in a Starbucks, and will target different types of victims. I.E. if you run a small web forum, it's unlikely someone is going to perform a BGP attack to steal your users' passwords. And the types of ISPs between Cloudflare and AWS usually won't inject ads into HTTP traffic.