[judge2020]

All this changes is how CF connects to the server. Like the rest of CF, outside of using Spectrum Enterprise (which enables TCP 443 tunneling), CF removes TLS at their servers and inspects the traffic so all of its caching/firewall/etc features can be applied. It does add it back when talking to a tunnel, so it’s non plaintext on the wire.

[piaste]

Thank you. Yes, I assumed that the tunnel was encrypted, but I was interested in using Cloudflare only as an untrusted reverse proxy / bastion server in front of my personal homeserver, no traffic inspection or caching or anything else.

Your comment and u/pedrogpimenta's give very different answers, I guess I'll need to verify for myself.