Security should be done in layers, and no honest security company will ever promise 100% protection, as that’s not feasible. Cloudflare is your first line of defense, but some threats may go past it, and that depends on many factors. Cloudflare default protection for DDoS is only triggered when an enormous amount of requests is detected, and that may be too many for your hosting provider. So yes, you should keep other lines of defense active.
There are many good alternatives in the WordPress.org plugin repository that are free. I personally use Ninja Firewall WP Edition, but Wordfence is also very popular.
You should use one or the other, but do have a origin-server firewall.
I do not suggest specific plugins, you should using the link I posted and find the one that feels more appropriate to you. I only mentioned the one I use as an example. Many users in this community prefer Wordfence, or BBQ Firewall, JetPack and several other plugins.