One of the main criticisms that Cloudflare faces in my circles is that they require your custom SSL certificate’s private key in order to function, which probably means it has to decrypt traffic to work. They speculate that Cloudflare does this for either self-enrichment purposes, or at the request of government for LEO.
It would be nice if it were possible to keep traffic completely encrypted. Cloudflare has a strong history of security but it’s not flawless.
For enterprise customers we support keyless SSL. It does require that the customer maintain a highly available public key server.
Because we are an SSL termination endpoint in order to provide the services that we do, it’s necessary for us to decrypt the traffic before processing a request and serving a response/sending requests on to the origin server.
I’m not sure what value we could provide beyond a basic port blocking if all we did was act as a firewall (which is really all we could do if we didn’t decrypt the traffic).