Nobody[1] complaining about these kinds of privacy issues is talking about the 2nd-party service you are talking to knowing about the requests you explicitly make for it's data. That is the expected transaction, even from the perspective of a non-technical user. (if you want a youtube video, you're going to have to ask youtube for it, and youtube probably logs that request)

The problem with CDNs - and google analytics, facebook "like" buttons, 3rd-party ad networks, etc - is that they are not, from most people's preservative, an expected part of the transaction. They are a 3rd party eavesdropping on the conversation.

In the case of some of those eavesdroppers, such as CDNs, GA or (to a slightly lesser amount) Facebook's "like" buttons, there is also the serious problem of aggregation. Cloudflare and Google are both in a position where they can aggregate your browsing history from not only youtube, but also to a very large percentage of the network. This is easily enough information to make the mining of very personal data, including data that you never divulged directly but can be inferred with the various machine learning[2] techniques that now exist.

Also, the intent of the people at Google or Cloudflare doesn't really matter. I'm sure most/all of the people working at those places are currently well-meaning. The problem is that once data is recorded it stays around forever, so the question isn't if the people currently at Google or Cloudflare would misuse that data, but if anybody with access to that data in the future would misuse it. Allowing personal data to be aggregated creates a temping target for both people that want to profit from that knowledge and governments with national security letters.

[1] modulo a few cranks that don't seem to understand that the server needs to know your IP address if you want it to send you any data

[2] In many cases, it probably only takes a few carefully-written SQL "JOIN" clauses