This is the price of "HTTPS Everywhere" security theater.
HTTPS everywhere isn't security theater. It prevents ISPs and coffee shop wifi snoopers from intercepting unencrypted traffic. Combined with certificate pinning et al., it also protects users against those governments that don't control the CDN that serves the HTTPS traffic.
It's not like CloudFlare can't see passwords if you don't use HTTPS. I don't think it's security theater, because CloudFlare being compromised is only one out of a large class of potential attacks.
That said, I fully agree that it would be nice to not have to trust CloudFlare.
That's how Cloudflare works. At least 36,000 domains let Cloudflare act as a MITM for them. Including "news.ycombinator.com".
This is the price of "HTTPS Everywhere" security theater.
Also, if you know the IP address and the length, you can often figure out what static content was accessed.