any website can trivially configure their own firewall in the same way without CF.
How many websites can handle the amount of traffic that CF can handle? It’s not just about configuring your firewall, it’s about having the bandwidth. Otherwise it’s not much of a DDoS protection.
I see CF keys.
As I don’t have an account there I can’t see which requests containing credentials use which cert.
And also, just because the cert is verified by cloudflare does not mean they have the private key.
Pgp does not encrypt the whole email, only part of it.