[strombofulous]

Yes, although it requires configuration https://developers.cloudflare.com/ssl/get-started/

[creatonez]

When you add a DNS rule, it's configured as proxied by default. Here is what it looks like in the UI:

https://i.imgur.com/TO2Tfk3.png

https://i.imgur.com/jVW5db4.png

[arch-choot]

I'm pretty sure the default is they can see all the cleartext, since their product is based on TLS interception, for example to evaluate page rules.

This is also how they insert extra headers in both the request and response.

[midasuni]

If cloudflare have thr certificate’s private key and are advertising the A record they have access to everything you send, from emails to credit card numbers.