And yes, intelligence agencies would be incompetent if they haven't already implemented methods of penetrating CDN providers, or working on doing so. All of them, not just CloudFlare.
Among other things, it's much harder to get caught in interception on an MITM box. The user never has any kind of real visibility into system. One can also easily force users onto CDN/mitigation services with a simple DOS attack, it's a lot harder to get a target onto particular hosting.
Cloudflare is a CDN, so compare them to Fastly, Akamai, and all the various other CDNs listed at https://en.wikipedia.org/wiki/Content_delivery_network
And yes, intelligence agencies would be incompetent if they haven't already implemented methods of penetrating CDN providers, or working on doing so. All of them, not just CloudFlare.