Assuming bad faith in the case of Cloudflare specifically? Know first that the CIA once ran a front company for decades that was meant to be a trusted source for cryptographic hardware for use by embassies and the like: https://en.wikipedia.org/wiki/Crypto_AG

If the CIA wanted to MITM all web traffic, and why wouldn't they, a company like Cloudflare is probably exactly how they'd do it.