Yes, Cloudflare stores the SSL the private keys. CDNs really need to read and modify the requests and responses for most of their functionality, like caching, load balancing, DOS mitigation, ...

You can always use a separate, not CDN protected domain for your API if this is a threat vector you care about.

Yes. It depends on your threat model. You have to just someone at some point of you're not running your own datacentres.