…and next time when it’s harmful they lose their entire business.

Doesn’t seem to make a lot of sense, does it?

What doesn't make sense for a business might for a government agency. Cloudflare way too juicy of a target to be left alone.

Only if the harm becomes known.

The point of using Cloudflare is the security features. You're entrusting proxying and DDOS management to a third party.

If you're at that level of scrutiny, that's not a service for you in the first place.

cloudflares business model is literally to mitm their customers. they incidentally also get access to unencrypted versions of all https traffic to cloudfare enabled sites