Yes, Cloudflare would be the ideal point for spy agencies to MITM things. It wouldn't surprise me if the funding for it came from them. And since they sit in between, many API audit logs wouldn't even flag intrusions because everything would look like you'd done it.
