There are for the .net domain. Not currently on the .org domain. The org domain doesn’t handle authentication of any kind. We could see about re-adding it, there was some reason why we hadn’t.
Unless Cloudflare went malicious and started changing our configuration, enabling proxying. With that threat model in mind they could just start messing with our DNS records and nothing would help in that situation.
That is really the only solution if you don’t trust any of the providers you use. Again though Cloudflare isn’t our threat model because there is no reason for them to be so.