[sfeng]

I’m sorry, but once an attacker can run arbitrary commands on your machines, it seems like your personal security battle has been lost. Cloudflare Tunnel isn’t doing anything that an attacker couldn’t do with a huge list of other tools, including a script that just loads some remote HTTP address for evil things to do next.

[autoexec]

You're right that this is only a problem when you're already compromised. The real problem is that cloudflare makes it difficult for networks to detect when that happens.

If a device on your network suddenly runs "a script that just loads some remote HTTP address for evil things to do next" that connection attempt to some strange remote HTTP address is a great indicator that you've got a compromised system somewhere. When all traffic, good and evil, flows to/from cloudflare it's harder to spot the evil.