Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
What is it you’re afraid cloudflare is doing? This is a company trusted by tons of corporations who have legit secrets to protect. Why would they care about intercepting your traffic? To what end?
Cyber attacks are goal-oriented and based on attack cost, basically how much effort for how much reward. Is your selfhost traffic super valuable? So valuable that someone would hack cloudflare to get it?
In reality, other than commodity malware that your security suite should easily pick up, there isn’t much threat in my opinion.
The question was a more general one, and not specific to my personal data needs.
The existence of such a ubiquitous centralised service that actually IS a MITM, whether they are malicious or not, seems curious to me.
As they say, if the product is free, then you are the product. If people accept, but recognise, a loss of privacy when using free services from Google and meta, for example, knowing that the data they provide is used for personalised ads, then how come CF’s free tier isn’t viewed with the same level of scrutiny?