[geofft]

I genuinely do not think that the risk of a state actor persistently compromising Cloudflare is higher than the risk of a state actor persistently compromising the average self-hosted LAMP site. Or, in other words, I think it is a lot more likely that your website and mine (I also self-host but just for laziness/familiarity reasons) are already compromised by state actors and have been for years without us noticing (how would we?) than that Cloudflare is already compromising without them noticing.

The cost to a state actor to mass-exploit a random 0-day on hobbyist targets, set up a persistent back door, and leave is very low. The benefit is low, too, but there's no real reason why they shouldn't do it just in case they end up needing it ever. And the risk is low because they look just like "random people."