(I am not a lawyer, educated guesses below. Seek legal advice if you need it!)
Direct access to what?
No doubt governments can get access to the wires, and sniff as much traffic as they want. The migration of the web towards encrypted protocols makes such interception more and more difficult, perhaps even impractical.
It is not clear if any company could be compelled to grant a government access to execute unknown code on their servers, or to alter their code or configuration to facilitate interception. In some cases companies have been paid to do so, but that is a different matter.
Cloudflare claim that they do not log the IP addresses accessing 1.1.1.1. If they were compelled to log the data, they could be compelled to not tell anybody that it has happened (see National Security Letters in the USA). However, I am pretty sure that they could not be compelled to actively lie about the activity.
This last statement is best seen in the statement in their Transparency Report that says that Cloudflare:
has never installed any law enforcement software or equipment anywhere on their network;
That is a ‘canary’. If it ever becomes false, they delete it from the report. It is generally agreed that a court cannot force them to include such a statement in a publication with the company and court knowing it to be false. There are various such statements, and they all serve the same purpose. They periodically publish a series of statements, and if they stop publishing one everybody knows what has happened.
Resuming, they have direct access to whatever they want, you could read easily searching for “secretas metadados” and translate to your language.
If the resolvers in Lisbon could be trusted, ■■■■ no.