> Cloudflare's ToS and contracts prevent them from doing nastiness with your data without breach ...

Contracts can be and regularly are changed. Ebay, PayPal, Etsy, Google, Microsoft, ad nauseum all have done this many times.

Contract-based protections mean very little if those clauses are non-perpetual and revokable.

Sure, they could try adding “your data is our data” on the renewal of a few million dollar enterprise contract and see how that goes - probably a redline with a nasty Zoom call attached. They could rug-pull this on free and small business users to a degree, but I don’t even see how it would be worth it. It’s such a small proportion of their traffic, and the fact that this is even a thing on their platform would scare away regulated customers for sure.

Changed by informing in advance. If they change it to scrape your data to sell it to advertisers or someone, drop their service.

As rumbefrog said, not exactly an option if they're the biggest/only game in town or if no one else has a feature you absolutely rely on.

Easier said than done, vendor lock-in is costly to move from.

>Cloudflare’s ToS and contracts prevent them from doing nastiness

Crypto AG's ToS also presumably said "we pinky promise not to backdoor our devices" when selling it to foreign governments, and look how they ended up.

https://en.m.wikipedia.org/wiki/Crypto_AG

Crypto AG was a literal CIA front. Are you saying you think Cloudflare is a CIA front?

Yes. 0% sarcasm.

It is possibly the biggest MITM operation in the history of computing. An unbelievable intelligence asset.