Yes, this is by design.
Providing the domain name to the target server is very useful, not just for abuse defense but also basic debugging and observability (e.g. “Whoa, where’s all this traffic coming from? Oh, that’s our partner example.com, I’ll go ask them about it.”). We also felt that being transparent here would help avoid situations where angry server admins receiving unexplained traffic decide to block the entire Cloudflare Workers platform.
On the other hand, we couldn’t think of any non-abusive use cases where hiding the zone name would be useful. If you have one in mind, though, I’d love to hear about it.