>a valid security strategy

Here's your confusion: personal sites don't need a valid security strategy. They don't need nine nines uptime. They don't need CDN, and ability to deploy, etc, etc. That's all (and forgive the origins of the expression but it is the most accurate description) cargo culting. There's no issue if they're down for a couple days. Laugh it off.

Whereas if you put your site behind a defaults of a cloudflare denial of service wall then real human people won't be able to access your site for as long as you use cloudflare. That's much longer and many more actual humans blocked than any DDoS from some script kiddie. Cloudflare is the ultimate denial of service to everyone that doesn't use Chrome or some other corporate browser.

And forget about hosting feeds on your website if you're behind cloudflare. CF doesn't allow feed readers because they're not bleeding edge JS virtual machines.