Yeah it is necessary in a way but this is not the only way. Most of the users I have seen using Cloudfare or similar services, use it to protect from DDoS (too much traffic to bring down your server), global cache (quick access), free SSL and some more useful services. There are ways to do these things yourself but that costs more $$$ and nowadays, people tend to go with cheaper or usually free options for any reasons. Especially small businesses. But even if you use cloud or something to do some things yourself, they do the same thing. Honestly, it is inevitable now. So you just trust service providers. And honestly it is harder for me to explain these things in a non-technical nerdy way which itself show the gap there is. We need to educate more people. You may find these useful: https://www.reddit.com/r/privacy/comments/41cb4k/be_careful_with_cloudflare/ https://www.reddit.com/r/privacytoolsIO/comments/8z3d3s/block_cloudflare_mitm_attack_addon/ And join +privacy if it is something that interests you.

Basically, if you visit a website which uses HTTP your browser will show you a warning that the site is not secure. Because data transferred using HTTP (a medium like air for our voice) is not encrypted. Anyone can see the data just like anyone can hear us speaking. In this case, lets say you person A said "I am a butterfly" to person B. Person C can also hear that but he is evil. To avoid other people from listening what you are saying (sending data), we use HTTPS, which encrypts (scrambled) the data so only the person speaking (A) and listening (B) can understand and person C can go brrrr. In this case, person A will use convert "I am a butterfly" to something else, such as "da sd asd asd as das d". Now only A and B can understand it because they know how to convert the letters. Person C can go brrrrr because he does not know the secret. Now in case of Cloudfare, there is a person D (which is cloudfare itself). Instead of speaking to person B directly, person A sends the message to D to pass to B, which does not hurt as person D does not know the secret too. This is called end to end encryption in nerdy world. But that does not happen, Cloudfare is like a bitch that tell the person A that she can share the secret and she will not share it with anyone else except B. But that depends on the integrity and honesty of person D. If person C is a close friend with D, D will most likely share the secret leaking the conversation. There is a very good incentive to share your data with person C so person D does that. Or may do that. It is like allowing the postman to read your letters first and then giving it to the recipient. The postman should do its fucking job and do not interfere with our personal shit. Cloudfare is or is not a good postman. But for providing the services, cloudfare provides, it may be necessary to do that but you are trusting a business bound to US laws. I hope it helps.