You should also read the post you linked to before complaining: “As part of our Application Security offering, we offer a free feature that checks if a password has been leaked in a known data breach of another service or application on the Internet” The website owner enabled this.

Cloudlfare scans all uploaded stuff. So, they do, in fact, scan everything. A was told, explicitly, by whatshisface from NB that they do use CF for CSAM. So . . . Did that change? If so, when did that change?