It’s not that you’re wrong. It’s more that I don’t understand what you’re proposing as an alternative. To add to the comments here pointing out that that’s how CDNs work: for many designs of website, the CDN essentially is the website, being served from a cache by the provider. Even when this isn’t the case, you would normally have a load balancer in front of whatever was serving your website so that if you need to swap out the server for maintenance upgrade, etc. you don’t need to tell who your visitors to go to a different address. In that case, your certificate would be attached to load balancer rather than the server behind it.
If this was a 1990s and I were trying to run my own server on my own hardware in my bedroom, you might have a point, but please explain how you would implement an alternative in any meaningful way today.
Thanks. This is pushing the limits of my current understanding, but unless I’m mistaken, this reads like ‘anyone who chooses may hijack part of your domain at any time if you both use cloudflare’. Sounds crazy.