This is good information to know, but just as a hypothetical: If Cloudflare "turned evil" (or was hacked, or had a malicious rogue employee, or whatever), since the DNS points to them, they could in theory get their own certificate [maybe even from Let's Encrypt(!), but I don't see a CAA preventing issuance from other CAs (and if they control DNS they might even be able to update CAA regardless)] and then act as a man-in-the-middle and intercept connections, right? This would likely be detected at some point (and Certificate Transparency might help), and I don't know what value it would have (as no private keys get changed over the API connection or anything like that), but as it is Cloudflare does have a lot of power over the connection merely by being in the middle.
[Though I don't really mean to pick on Cloudflare here, it'd really be the same story with Akamai/Azure/Google/AWS/whomever is being used to handle Internet traffic, that by handling the traffic they get a lot of power to see or manipulate what's going through them and could fulfill whatever requirements there are to get a certificate accordingly.]