![](/static/253f0d9b/assets/icons/icon-96x96.png)
![](https://fry.gs/pictrs/image/c6832070-8625-4688-b9e5-5d519541e092.png)
Such source code isn’t possible with the general audience service they offer, even if being open source were a requirement for credibility in any way.
You’re comparing them to a company with a long history of actively hostile behavior despite the fact that there’s never been a single hint of anything resembling hostile behavior from them, they operate from a country with meaningful privacy protections and only surrender data when compelled by their own courts (who only do so in circumstances that actually warrant it), and haven’t actually given up information that’s useful when required to because they don’t have it.
Cloudflare’s (pretty good IMO) response was pretty indicative of how bad this was. It sounded a lot to me (without that low level of familiarity of exactly everything they offer) like they specifically built some new tooling just to handle this issue at scale. They definitely said that changing links on pages (without an opt in for free users, who generally are less advanced/serious) is not something that they want to do, which is good, but I do think this specific scenario justified defaulting to enabled for customers who aren’t paying for the service.