In this case yes, because users don't get an encrypted channel with the site's servers, only with Cloudflare. Cloudflare isn't acting as a dumb TCP proxy which would allow that. When it hosts an HTTPS website, it does so by terminating the HTTPS connections itself. Cloudflare has the private key, and can see the content of every request/response. That's necessary to compress images, inject scripts, minify code and do all the other optimization/CDN stuff they do -- but it also means making them an MITM between a site and its users.
If you are in the privacy business, a man-in-the-middle like CloudFlare, is not the thing you try first.
Really? Do men-in-the-middle matter if your communications are encrypted (be it HTTPS, PGP)?
In this case yes, because users don't get an encrypted channel with the site's servers, only with Cloudflare. Cloudflare isn't acting as a dumb TCP proxy which would allow that. When it hosts an HTTPS website, it does so by terminating the HTTPS connections itself. Cloudflare has the private key, and can see the content of every request/response. That's necessary to compress images, inject scripts, minify code and do all the other optimization/CDN stuff they do -- but it also means making them an MITM between a site and its users.