Since I mentioned Cloudflare in the OP, I thought I'd note this here: I just learned that Cloudflare's "keyless SSL" feature still allows them to undetectably MITM all traffic. How it apparently works is that you keep the HTTPS key, but session keys are generated in a special way that allows both you and Cloudflare to decrypt the HTTPS traffic. Pretty sneaky, and not at all widely known. My suspicions that Cloudflare exists to spy on encrypted Internet traffic continue to rise.
Yes it is just security theatre to make people feel safer. Cloudflare can read all of your traffic in the clear no matter which of their products you use, some of their anti-DoS protection needs to be able to view all of the traffic in the clear in order to work, its the only way they can properly protect against layer 7 attacks for example.... or at least thats their story and their sticking to it.