And, in turn, while I loathe Cloudflare, I would say that's perfectly reasonable; "Zero Trust" means that you distrust the network and possibly the clients, but you generally still have to trust, at the very minimum, something to provide identity verification, and usually some sort of network proxy in front of the actual application. So long as every connection is securely encrypted in flight, I'm pretty sure it still counts as Zero Trust.
Zero trust is a whooly term which means different things to different people, it's more of a strategya and principles than a technology. Ultimately you will have to trust something and we want to make that as small trust relationship as possible. For me, the best way is to use open source and only have trust of central key infra (the control plane/PKI) while ensuring all connections and anything that wants to attach goes through its own process of bootstrapping trust. No connections should be made to the controller or on the data plane unless endpoints have bootstrapped trust.
I work for a company that has created exactly this and we open sourced the core tech. It allows anyone to put programmable, pirvate (outbound only) connectivity based on zt principles into any app (sdk), host (tunnler) or network (edge router). It can support any use case across access, multi-cloud, IoT, and more.
Cloudfare's gonna check out all your girlfriends for you
Cloudfare won't let anyone dirty get through
Cloudfare's gonna wait up until you get in
Cloudfare will always find out where you've been