One of the major advantages of using Cloudflare is its DNS-level proxy which acts as a shield between clients and your server. However, that doesn't mean no one can go directly to your server. The internet is a public network and everyone has access to everything. All they need is your IP address which is easily guessed.
I can't remember how I started going down this route, but I do know that as someone with multiple websites, I should be doing the most to ensure nothing malicious is being loaded onto my viewer's computer.
Actually, I do remember. I was looking into how FrontierNav can introduce an iframe-based, postMessage API to allow third-party integrations -- an exciting topic for another time. Loading iframes from other places is of course open to abuse, so I looked into securing it.