If you are talking about Cloudflare, I (personally) feel this may be somewhat of a mis-impression. My impression is that they have made a conscious decision to try to build a mainstream business that is compatible with and supportive of online privacy & security, and have devoted real time and resources to privacy initiatives. Its just that a lot of the work they do related to privacy is more technical behind the scenes stuff that isn’t always apparent to the consumer/end user.
But Cloudflare has been an influential player, early adopter, (and in some cases a leader) of various privacy initiatives and standards. Things like:
- Encrypted SNI (ESNI)
- Encrypted Client Hello (ECH)
- DoH and DoT
- Oblivious DoH (ODoH)
- Oblivious HTTP (OHTTP)
- TLS 1.3
- DNSSEC
Apart from specific technical things, I see Cloudflare making a positive contribution in a few other ways (A) Privacy and Security education, their blog posts often provide good conceptual overviews of somewhat complicated and esoteric technical topics(B) Pushing for or supporting privacy-preserving or privacy-enhancing web standards (C) Making it easier (or the default) to use emerging security and privacy standards.
My impression is that Cloudflare has demonstrated a meaningful commitment to some privacy initiatives that are making a real and positive impact. And because of their size and reach they are in a somewhat unique position to push privacy in ways that benefit everyone, not just those of us who are already privacy conscious. I don’t think they are perfect, and I don’t fully trust them, especially in some particular contexts, but I don’t think its fair to say they are private ‘by accident’. As far as big tech companies go, I consider them one of the better ones.
With that said, like you, I have a bit more trust-by-default in a non-profit than a large corporation, and I do not trust that any company that controls as much of the internet as cloudflare does will not be a big target for US and other govts intelligence services.