Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
ThePirateBay, the most notorious site in the world, uses Cloudflare. This isn’t China. Wiretapping is illegal in most circumstances, and that’s essentially what it would be doing.
Wiretapping is only illegal if it isn’t sanctioned in some way.
They can spy on anyone who isn’t an American citizen legally, so they could probably tap into any server that’s outside the US.
They can also spy on people if a secret court allows them to do so, and (by design) you would never even know about it.
Lastly they can simply have deals with agencies from other countries that have similar “restrictions” where they tap into the US data and then they just exchange the collected data, because then it’s technically not them who is doing it so it’s perfectly legal.
They certainly have no obligation (or desire) to keep anyone’s data private - especially from themselves.
It wouldn’t be far fetched to think that now that the battle against it was lost on all fronts it would work as a good honeypot. You never know what or who is behind it.