I’m very new to Cloudflare, so I could be missing something, but it appears to me that the only way to implement dynamic DNS through the Cloudflare API involves authenticating with account credentials that have full account access. This is a large security concern for DDNS implementation (consider a DDNS update script/client running on shared hosting, or running on a relative’s computer that you routinely access for remote desktop troubleshooting purposes). Compare this to Hurricane Electric’s free DNS hosting service which allows setting arbitrary or random keys (passwords) individually for each DDNS-enabled A/AAAA record which are used for authentication in HTTPS requests to update said records; they can’t be used for anything else. Also compare this to Google Domains’ synthetic DDNS records, where unique username and password pairs are generated per record, which are also used via HTTP requests to update said records, and also can’t be used for anything else. In both cases, the record-specific credentials are the only ones used to authenticate to the respective remote services, so if a DDNS script implementing these credentials were to be leaked, the impact would be minimal.
With the significant security advantage that record-specific credentials brings, I think implementing such a scheme is the right thing to do (at least for DDNS use).