The DNS-over-HTTPS URL for Cloudflare Gateway doesn’t support Encrypted SNI, so the uniquely generated subdomain is always sent in plaintext. This isn’t ideal, as anyone sniffing network traffic can extract and use this unique URL to make DNS queries that are logged in the associated account.
The regular Cloudflare DNS DoH URL is using ESNI, as shown below.
Tested with appending
https://xxxxxxxxxx.cloudflare-gateway.com : sni=plaintext
https://family.cloudflare-dns.com : sni=encrypted
https://mozilla.cloudflare-dns.com : sni=encrypted