And it's Cloudflare's decision to expose the endpoint as HTTPS, suggesting to visitors that it's a secure endpoint when Cloudflare knows that it is not.
For sure. From the perspective of a visitor to the site, you see the padlock, it should be secure. Cloudflare makes it extremely easy to disguise an insecure endpoint as a secure one. In fact, Cloudflare does this for free! It harms visitors.
... And it's the customer's decision to leave the cloudflare->upstream link in the clear. Just like it was Google's decision to add and remove SSL between the frontend server and the backends.
Cloudflare is part of the customer's website, it's not some random third-party that happens to be there on the path to the HTTP client.