Their business model has always been MITM, sniffing and modifying content. They do not just blindly pass traffic. Cloudflare and end-to-end encryption are incompatible. They need access to the traffic. What is troubling is how easily they can fool customers or end users into believing that they are offering satisfactory encryption when in truth they are not.
Stepping on to soapbox... TLS needs to be replaced with something simpler, with fewer "buttons, dials and knobs". TLS pontificators need to separate authentication from encryption. They are two different problems, and it's possible we may only have a satisfactory solution for one of them. If that's the case, and it's the former problem that remains unsolved, then it could be worthwhile to reconsider the relative value of encrypted "channels" versus per packet encryption.
"Consumer Product Safety Commission is behind...DDoS"
This sort of title suggests that intent is not important.
If we accept that as true, then we can make a few more observations.
DNSSEC is behind DDoS.
The large responses mandated by DNSSEC allow DNS to be used to DDoS.
People warned the DNSSEC proponents about this.
They ignored the warnings.
Because the intent of DNSSEC is something else besides DDoS. (What that something is could be a controversial topic in itself.)
If DNSSEC and its users are behind DDoS, then who is behind DNSSEC?
What are they trying to achieve, what is the problem they hope to solve with DNSSEC? Besides making DDoS easier.
A small group of people gets to ultimately decide what is and what is not a "valid" or "authentic" domain name?
Why would anyone need something like that?
"DNS experts" over the years have been increasingly willing to admit that it's reasonable to acknowledge that users could choose not to share a DNS cache with anyone else. They could run their own cache bound to the loopback.
When this happens, does the user still need DNSSEC?
It's easy to detect when Cloudflare is being used. There are multiple ways.