Typically on their free accounts they use your cert for communication between them and you, and use cert they issue for communication between them and everyone else.

User -> CF cert -> CF -> your cert -> your server.

That’s why I suggested examining the cert on your external facing page.

Regardless, one way or the other, they need to be able to decrypt your data in order to apply their services (WAF, etc).

Unless, again, you’re just using DNS (grey cloud).

Consider what a DDOS attack looks like to Cloudflare, then consider what your home server can actually handle.

There’s likely a very large gap between those two points.

For me, my server will start to suffer long before traffic reaches the level of a modern DDOS attack.

Are you using their proxy or just DNS ?

If you have the little orange cloud (proxy) on your DNS entry, go to your public facing webpage and examine the cert. Chances are it’s not what you think it is.

Saying something is “self hosted” when it’s actually hosted by a cloud provider is sort of like saying something was “self coded” when it was actually coded by an LLM.