It would appear requests for unknown hosts are still mapped to their respective zone and run through the security layers before being rejected.
I just had the case where requests for previously configured hosts showed up in the firewall log. Considering these hosts do not exist any more I would assume at this point whoever sent the requests cached the IP and connected to it using the, now, outdated hostnames and I would have expected those requests to be rejected straight away without any additional processing steps. Request comes in for an unknown host -> Cloudflare immediately rejects it.
That does not seem to be the case however. These requests still seem to be mapped to their respective zone and run through its security layer configuration (firewall engine, IP access rules, etc.) and show up as entries if there is a match. Should that really be the case? I would believe it shouldnt.
For the record, I opened ticket #1671031 but the response was not all too useful.