In this case yes, because users don't get an encrypted channel with the site's servers, only with Cloudflare. Cloudflare isn't acting as a dumb TCP proxy which would allow that. When it hosts an HTTPS website, it does so by terminating the HTTPS connections itself. Cloudflare has the private key, and can see the content of every request/response. That's necessary to compress images, inject scripts, minify code and do all the other optimization/CDN stuff they do -- but it also means making them an MITM between a site and its users.