Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
I’m either reading this wrong or there’s a disconnect in knowledge. If you have your own SSL cert and do the termination of that on your end, CF cannot do any MITM without an error on the user’s end.
However, if your just setting up an a record or whatever to your server that isn’t doing ssl termination, then yes they are mitm
Cloudflares Web Application Firewall or ‘WAF’ is a reverse proxy that sits in front of your server issuing it’s own certs valid for your domain (cloudflare is a CA, and has control over your DNS to get others to issue certs for them). They then provide caching alongside DDOS protection, geoblocking, various customizable firewall settings, as well as just masking your servers ip with their own. This is their primary service aside from just basic DNS/registrar services.