The way Cloudflare reaches this penetration is through BGP peering routers they have installed all over the world. If you look up in how many facilities they are located in then you realize they are basically running extensive spy network all over the world.
Even if you visit some website that has got nothing to do with Cloudflare then there is a pretty big chance(I assume 20%?) that by the magic of BGP routing this website request might be passed through Cloudflare AS BGP node and you will be tracked
BGP explanation by Cloudflare itself:
It would be good to know how many traffic goes into the proxy, to have an accurate understanding of their plain traffic capabilities.