I might be wrong but I think with Cloudflare tunnel (same with tailscale), you don't need to open that port to the public? That is at least my understanding. Still, Cloudflare must communicate somehow with the external world and if that is compromised, then so is your service too.