Yes and no? It’s not quite as black and white as that though. Yes, they can technically decrypt anything that’s been encrypted with a cert that they’ve issued. But they can’t see through any additional encryption layers applied to that traffic (eg. encrypted password vault blobs) or see any traffic on your LAN that’s not specifically passing through the tunnel to or from the outside.

Cloudflare is a massive CDN provider, trusted to do exactly this sort of thing with the private data of equally massive companies, and they’re compliant with GDPR and other such regulations. Ultimately, the likelihood that they give the slightest jot about what passes through your tunnel as an individual user is minute, but whether you’re comfortable with them handling your data is something only you can decide.

There’s a decent question and answer about the same thing here: https://community.cloudflare.com/t/what-data-does-cloudflare-actually-see/28660

Admittedly I’m paranoid, but I’d be looking to:

1. Isolate your personal data from any web facing servers as much as possible. I break my own rule here with Immich, but I also…
2. Use a Cloudflare tunnel instead of opening ports on your router directly. This gets your IP address out of public record.
3. Use Cloudflare’s WAF features to limit ingress to trusted countries at a minimum.
4. If you can get your head around it, lock things down more with features like Cloudflare device authentication.
5. Especially if you don’t do step 4: Integrate Crowdsec into your Nginx setup to block probes, known bot IPs, and common attack vectors.

All of the above is free, but past step 2 can be difficult to setup. The peace of mind once it is, however, is worth it to me.