Verisign already controls huge portions of the internet (as a registry and certificate authority) and Cloudflafe controls much of the rest. Giving up .gov does very little to move the needle.
Not that I stay up at night worrying about Cloudflare, but Cloudflare is literally the Man In The Middle between the user and the instances running at AWS, GCP, or Azure.
Isn't that the whole value proposition of Cloudflare?
Nearly all traffic (in terms of volume) gets swallowed by CloudFlare and never approaches most instances: DDoS attacks swallowed whole, WAF rules block illegitimate traffic (which is, in most cases, the vast majority of traffic to dynamic endpoints or, frequently, non-existent endpoints, if you've ever tailed webserver logs), and Cloudflare-caching handles most of the remainder for static and cacheable files -- leaving those servers with a mostly-sanitized and far lower volume of traffic. If you're using edge workers, even less traffic hits your servers.
But, yes, out of the remaining traffic that enters AWS/GCP/Azure's network, they certainly can see what's happening on those machines if they care to look.
Yeah, that is one of the main value props of Cloudflare. They just slap you with scale. Entire classes of problems like DDOS just become non issues when you front with them. Most people when talking about Cloudflare have few complaints about the actual services they offer. It’s way more often about how they are so good and widespread that you don’t have many other choices and how dangerous that is in the long term.