I was always unsure about cloudflare as an end user - I don’t want all my traffic going through one provider, but their business use case seemed reasonable.

Then my in-laws got tricked into sending login credentials to a phishing page fronted by cloudflare. It was obviously spoofing IDP logins of Yahoo, Microsoft, etc. I sent a request assuming they would disable the domain and it was immediately closed (in minutes) as not an issue. It made no sense that they would want to front phishing sites. I eventually got them to look more closely and it was removed, but it soured my perception of them.

I think large scale internet businesses may need to start having more liability in matters like this. Being blocked from an entire country seems extreme, but if there are financial incentives to solve the problem, the problem will get solved.