The universal SSL thing is egregious. You just can’t take the company seriously when they allow this so nonchalantly. Browsers should mark these endpoints the same as plaintext endpoints.
I basically only use Cloudflare for SSL as a stopgap until I have time to buy my own cert and add it to nginx (which is very easy to do).
I otherwise refuse to use them given the fact they basically block Tor, by having captchas appear so often most sites are unusable. They always sidestep confronting this issue by saying they don’t ‘technically’ block Tor which is even more angering.
Plus the whole MITM and passive analytics consumption they have the potential to be coerced into doing. They provide a great service but the compromise is too much to hand over at such a large scale IMO.