Local vs remote traffic handling / split-horizon DNS?

I have a set of servers inside my network that I would like to be able to access from outside my network, and the Argo Tunnel seems to be a good idea. But unless I’m reading the documentation wrong, it seems like the cloudflared client handles all of the authentication and that all traffic would go through Cloudflare regardless of if I’m in the local network or not.

Is there some documentation on how cloudflared handles situations like these and if I can configure some sort of split-horizon DNS based on local vs. not local connectivity?

You can in your own DNS… it violate the ZTNA, but if it resolves locally it wouldn’t go to Cloudflare and thus won’t be subject to security inspection policies. Assuming your internal network is more trusted or more secure is an option, but not one that I’d recommend. <source: am the insider threat>