As problematic as a solution like Cloudflare is, it's still probably the only serious option, even today. Anything else is a constant cat-and-mouse game. I've done a bit of fail2ban work to make my own anti-DDOS or psuedo-WAF and such, but any site under the threat of an arbitrary DDOS attack really only has Cloudflare (or other, worse options like Akamai, cloud, etc).
Cloudflare regularly posts reports on DDOS attacks, the latest for Q1 of this year
https://blog.cloudflare.com/ddos-threat-report-2023-q1/ but if it comes to protecting your personal data, then no matter what hosting you use, you risk trusting it to a third party anyway.