I encourage you to read into Layer 3 routing and packets.
The source IP is your WAN IP always. It carries through. NAT will change your PC's local network IP (192.168.x.x) to your gateway IP in the packet. This identifies YOU. Individually.
No SSL or TSL is needed for that.
DNS forces the traffic to re-route through cloudflare's routers and thus they get the packet data.
True the source mac ends at the router, my bad, it gets changed to the mac of the WAN for the router. But the IP address source does carry all the way through, which is all that is needed.
They cannot see your user name. That is encrypted with SSL. Just because the SSL terminates and is recreated there, does not mean encryption is broken. It simply gets re-encrypted and both keys are passed to the destination. It is not revealed at the termination point. Only the key to decrypt the new encrypted packets.. are revealed... to the destination.
https://flightaware.com/live/flight/SWR15X
it dropped off that callsign and changed to SWR15X (probably because it went into international airspace)