Yeah, that is how I use it. You can technically host any TCP including end to end encrypted data through CloudFlare tunnels but you need the cloudflared app installed on the client side to access it (SSO still works even for this case). I find having to manage certificates and installing cloudflared everywhere is too much of a hassle. I understand that proxing through CloudFlare gives them a lot of visibility and control, but I find that risk acceptable given my application.