I'd argue that the certificate authority does not have the ability to decrypt your communication because of the nature of private and public key mechanism during the whole TLS certificate procedure. You do not send your web servers private key to cloudflare when requesting a certificate.
That would actually be pretty wild...
Other then that you're probably right.
You're right, forgot that you can just not encrypt on your servers end and use cloudflare to do that for you, especially when used as CDN