1. The need to trust Cloudflare is a no-go for some. I trust them and I think solutions like this are better than the "roll your own" type you'll see with self-managed PKI and VNC, but someone having the ability to MitM the remote connections is going to elicit a hard pass from some people I know. Or did I get that wrong? Cloudflare can MitM the connection if they want right?
2. Local/private traffic becomes non-local traffic. For example, I know of a place that's part of a large private network and all their internal traffic (between physical locations) transits that network without hitting the internet. They also have traffic management policies that favor keeping traffic on the private network whenever possible.
The second one is a fairly specific case though.
There's some awesomeness to this type of setup that uses Cloudflare Access. I was recently working on a network where we needed remote access to a single machine, but also needed to loop in a couple people from different organizations. It seems like there are a dozen systems for remote access and screen sharing and everyone is on a different one. Coordinating a couple people to collaborate was a pain and collaboration tools with screen sharing don't allow you to leave access to the remote machine in place if one of the participants needs it.
I wish Cloudflare Access had the concept of free guests and a OneDrive like workflow for sharing access to apps / resources. Maybe it does, but I don't use it beyond testing. For example, I'd like to configure VNC like described and be able to "share" the resource with an external user via email where they can get a one-time-pin for auth and where I can set an expiry on the share.
Do I have to pay for guests that only log in once or twice via Cloudflare Access? I know they get marked as inactive if they don't log in during a month, but having to pay for them (and think about it before sharing) takes away from something that's pretty awesome otherwise. This is the reason I dropped paid GitLab too. Paying for external users that barely use the service is a no-go for me.