Is it correct that in order for a site to utilize Cloudflare to protect them from DDOS on port 443 (SSL), that site must install their CA signed cert (private key) on Cloudflare's servers? I think Cloudflare did a deal with a CA to even stream-line this process.

Regardless of how data between Cloudflare and the site's real IP is subsequently proxied, does this effectively mean that said site must implicitly trust Cloudflare and any parent it may be answerable to? Is this a MITM scenario?

Due to the nature of SSL and CA infrastructure in general, I don't think there is a way around this natively. Is there a way for a third-party to filter (ie from flood) your SSL data securely? If not, perhaps some JS crypto could fill the gap between site and user? Of course, secure JS delivery has its own problems under such a scenario..