Well yeah, it’s not easy. Which is why they limit what they do to the aggregated data or to targeted discovery.

But that’s only a small technical hurdle and the speed with which you can analyze the data grows much faster than the volume (especially if you are smart about what data you analyze and how you do it) so it won’t last forever.

Wiretapping is only illegal if it isn’t sanctioned in some way.

They can spy on anyone who isn’t an American citizen legally, so they could probably tap into any server that’s outside the US.

They can also spy on people if a secret court allows them to do so, and (by design) you would never even know about it.

Lastly they can simply have deals with agencies from other countries that have similar “restrictions” where they tap into the US data and then they just exchange the collected data, because then it’s technically not them who is doing it so it’s perfectly legal.

They certainly have no obligation (or desire) to keep anyone’s data private - especially from themselves.

ThePirateBay, the most notorious site in the world, uses Cloudflare.

It wouldn’t be far fetched to think that now that the battle against it was lost on all fronts it would work as a good honeypot. You never know what or who is behind it.

Right, but it’s not necessary only about that; if you care about other people and/or you don’t want to give the US and their spy agencies more power - perhaps if they are opposed to what they do and the idea of mass surveillance in general (and that’s even if it doesn’t affect you directly, which is most likely the case) this is a pretty simple way to make sure that you aren’t contributing to it.

It’s like with, I dunno, consumerism. If you don’t like it, just don’t do it since it opposes your views anyway. And sure your impact will be pretty small but it’s still easy to do and it’s kind of a win-win situation?

As I said in another comment, it’s more about your visitors than you.

Sure maybe if you have a completely generic blog about cooking or something it doesn’t matter much. But still as long as you can use that information (along with information from every other site that user visits through Cloudflare) to infer stuff about that person it becomes kinda scary.

Because it’s “everyone’s MITM” it would make it a perfect spot for state actors to tap into in order to surveil pretty much everything without anyone being able to notice.

Hell, just the server logs (timestamps, IP addresses and exact URLs) would be unbelievably valuable.

I’d be really surprised if someone wasn’t taking advantage of that.

Which is to say if you selfhost because you want more control and privacy, you probably want to avoid services like that.