Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
You don’t need to use CF tunnels to get DDoS protection and to hide your IP. If you are using CF tunnels without being undee a CG-NAT then you are getting MITM’d for nothing.