Why are we even blaming Cloudflare? Aren't web developers the ones who haven't enabled strict SSL? Cloudflare should recommend the user use stick SSL but calling it unethical is quite a bit of a stretch... Sometimes it is useful like hosting node js app or docker container app without using a reverse proxy like Nginx.