Because Cloudflare sees your traffic in clear, because they terminate your TLS connection. So are the other services or equipment that does that 

I think the point was that service that runs nsecbunker has access to the nsec as is, it doesn’t matter if it’s stored encrypted or not, it’s an easy fix to intercept the key if service wanted to.

Enclave or HSM with the proper and standard encryption key exchange and zero exposure of unencrypted nsec or the key is the only way I see it being trustworthy. 🐶🐾🫡