Using a CDN service operated by a non-GDPR business such as Cloudflare, Google, Amazon, or Akamai could potentially be confirmed to be a violation of GDPR, yes, if the CDN-hosted resources are used without opt-in. I’m eagerly awaiting the first complaint on these grounds to be reviewed and judged, now that the GDPR treaty with the United States has lapsed. It doesn’t matter where the CDN’s servers are; without the US having signed a treaty into law, each of their businesses are subject to compulsion by various US authorities to dishonor their commitments to the GDPR.
It looks like the court decided SCCs were not sufficient as Cloudflare is subject to US surveillance laws so they wouldn't be able to provide adequate guarantees.
