Update:
Blocking older HTTP versions used by botnets, such as 1.0, 1.1, and 1.2, as well as implementing other server-side features such as pushing resources and using TLS 1.3, would significantly reduce the success of any DDoS attack.
I'd even say it would make it nearly impossible.
Nearly impossible? I disagree when there are many library support HTTP/3[1]. Bot developer could update their bot while bot owner will simply use different bot.
Word to the bird, LoyceV. Not being a computer science major (like many here seem to be), I don't know much about the security/privacy issues involved with using javascript and cloudfare so I'm not too concerned with any of that.
You may want to read to read thread which written by mocacinno[2] or this discussion on CloudFlare forum[3].
[1]
https://en.wikipedia.org/wiki/HTTP/3#Libraries[2]
https://bitcointalk.org/index.php?topic=5247838.0[3]
https://community.cloudflare.com/t/does-cloudflare-proxy-servers-decrypt-my-data/145691