To clarify this, using the Cloudflare configuration, it is all hostnames within the domain. The includeSubdomains option is in addition to that, and would cover any matching names also.
In general, enabling HSTS in Cloudflare is relatively safe, but if you have any hostnames within the domain without SSL available, then the includeSubdomains and Preload directives should not be enabled.
Setting max-age=0 tells browsers to forget previous HSTS settings that they have learned for that domain. It is a special value to disable HSTS for domains where it was previously enabled, and is really a break glass value.