There's two main answers. The first one is that CloudFlare reduces overall security by acting as a universal Man-in-the-Middle that terminates TLS connections to inspect all trafic, so for any website using CloudFlare, CloudFlare will be able to see all your trafic.
The second problem is that they use their privileged position to actively block privacy-conscious users/networks as well as homegrown scrapers. Being able to browse and archive the web freely is a fundamental property of the WWW, and a single corporation deciding who gets in (Google & friends) and who doesn't (the rest of us) is a huge problem, whether you approach it from a "human rights" perspective, or a "free competition" perspective.
Website owners who go through CloudFlare are asking a private corporation to strip search anyone who wants to reach their doorbell/mailbox. Would you accept that in your neighborhood? If not, why do we accept it online?
CloudFlare forces people to enable JavaScript, or you just can't get in. This means that people who don't use a modern reputable browser (based on Firefox or Chrome) are often left out (CLI browsers, homegrown browsers, etc). While people who are conscious about security who disable JS for this reason (see for example rowhammer.js as one of the many reasons why running untrusted code from the internet is the worst idea ever) are also left out. While users who have JS but in a privacy-friendly browser which prevents fingerprinting, such as the Tor Browser, will be placed on infinite CAPTCHA loops. I've personally spent over an hour once stuck on a CAPTCHA that i really needed to go through.
Their argument for treating Tor users (and VPN users, etc) badly is that there is a lot of malicious traffic coming from there. However such arguments don't hold scrutiny as most attackers have resources a lot of IP addresses, and there's an entire gray/black hat industry of "residential VPNs" to acquire more for a few bucks. Moreover, as they are already terminating the TLS connection on their side to inspect the traffic, it would be rather straightforward (given a few false positives that could be reported) to block out known attacks and suspicious traffic, while letting obviously-innocent request passing through.
All in all, CloudFlare is not 100% empire of evil and there's a lot of good folks "just doing their job" there who even like privacy in theory. But in practice, they are reinforcing what we privacy activists fight against: centralized surveillance infrastructure and privatization of public information.
The second problem is that they use their privileged position to actively block privacy-conscious users/networks as well as homegrown scrapers. Being able to browse and archive the web freely is a fundamental property of the WWW, and a single corporation deciding who gets in (Google & friends) and who doesn't (the rest of us) is a huge problem, whether you approach it from a "human rights" perspective, or a "free competition" perspective.
Website owners who go through CloudFlare are asking a private corporation to strip search anyone who wants to reach their doorbell/mailbox. Would you accept that in your neighborhood? If not, why do we accept it online?
CloudFlare forces people to enable JavaScript, or you just can't get in. This means that people who don't use a modern reputable browser (based on Firefox or Chrome) are often left out (CLI browsers, homegrown browsers, etc). While people who are conscious about security who disable JS for this reason (see for example rowhammer.js as one of the many reasons why running untrusted code from the internet is the worst idea ever) are also left out. While users who have JS but in a privacy-friendly browser which prevents fingerprinting, such as the Tor Browser, will be placed on infinite CAPTCHA loops. I've personally spent over an hour once stuck on a CAPTCHA that i really needed to go through.
Their argument for treating Tor users (and VPN users, etc) badly is that there is a lot of malicious traffic coming from there. However such arguments don't hold scrutiny as most attackers have resources a lot of IP addresses, and there's an entire gray/black hat industry of "residential VPNs" to acquire more for a few bucks. Moreover, as they are already terminating the TLS connection on their side to inspect the traffic, it would be rather straightforward (given a few false positives that could be reported) to block out known attacks and suspicious traffic, while letting obviously-innocent request passing through.
All in all, CloudFlare is not 100% empire of evil and there's a lot of good folks "just doing their job" there who even like privacy in theory. But in practice, they are reinforcing what we privacy activists fight against: centralized surveillance infrastructure and privatization of public information.
See also:
https://blog.torproject.org/trouble-cloudflare <-- Tor project debunking most of CloudFlare claims https://pbs.twimg.com/media/C3-GC62XAAAVbYy.jpg <-- people so annoyed at CloudFlare blocking privacy activists that they actually made Fuck CloudFlare stickers that they distributed at free-software conferences (my laptop wouldn't be the same without it)