Yes, this header is reliable and is intended to be used for security and anti-abuse purposes. It actually names the Cloudflare zone, which is usually the eTLD+1, but it’s actually possible (though unusual) for Cloudflare zones to be subdomains.
We should definitely document it better, sorry about that.