The argument would be that they sell the kevlar and the guns
Kevlar:
https://developers.cloudflare.com/bots/
https://www.cloudflare.com/products/turnstile/
Guns:
https://support.cloudflarewarp.com/
To be fair, CF mainly develops defensive cybersecurity products, the extent to which their tools might be used maliciously is pretty on par with other regular tools.
But, it just has bad optics and potential COI/Racketeering when CF is at both sides of the counter.
To be explicit, in case it isn't obvious,Cloudflare emerged as a DDoS protection company, detecting attacks from distributed sources is part of the raison d'etre, and domains and IP addresses are a key part of that infrastructure.
By subletting their own IP addresses for navigation with warp, and their own domains for hosting of webcontent with subdomain hosting, they are providing pooled anonimity for their customers, which is precisely what makes it very hard for defenders on the other side to implement foundational security measures like IP bans, or IP block bans, or domain bans, or Whois/RDAP domain analysis.