The WAF is $20/month and as far as I know you don't get it automatically for free by using Cloudflare Tunnel, though feel free to correct me.
There was the case of them enabling mitigations for the log4j vulnerabilities for anyone on Cloudflare, but that was an exception.
Yes, WAF is one of the features you get if you're not on their free app service plan. I think having the option of simply upgrading and turning it on if it becomes necessary, makes the free offering quite attractive.
I haven't used CF in anger, so can't vouch for it more than that.
What do you then mean by a "relatively small L7 ddos that Cloudflare would not likely mitigate"? It seems to me that their WAF would mitigate that and I can worry even less about threats.
Being using them for many years, way better and cheaper than AWS.