Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?
Because that’s not how certificates work?
Your private key is never sent to the CA with you submit a Certificate Signing Request, only the public key and a bunch of metadata.
(The exception being code signing certs that are delivered on an HSM but the key never leaves the HSM)