I already do that with my .htaccess files.
I believe the issue with those headers is that they are more likely to break a site than anything else Cloudflare does. Especially CSP.
The HSTS setting here is only available if you’re already running SSL for your domain. And that’s a pretty surefire “will work” setting. Note that you get DANGER DANGER type warnings when you enable HSTS. So imagine all the DANGER warnings Cloudflare would need to include if they enabled CSP.
I can’t speak for Cloudflare, but I’d think that’s a headache they don’t want.
What I think would be a better approach would be a Headers App. In fact, I think that’d be awesome! Other useful headers could include the HTTP/2 Push feature for certain files. Expect-CT is another header that would come in handy.
I’m sure @shimsa is familiar with header checking, but for everyone else, give it a try: