Comment by const_cast

Yeah that's option 3, for now. But they won't go after cloudflare in the general case because it's too risky IMO. And cloudflare will only comply to the absolute minimum they can get away with, because they can't burn money auditing every single customer behind cloudflare.