Rather amusingly, the massive centralisation of the internet, which is bad for privacy in every other way, actually protects you here.

Yep, cloudflare dns proxy essentially hides your origin ip addresses.

They can, but pretty much everything will reverse lookup to Cloudflare or AWS.

SNI reveals the exact site though

As I understand it, this is now being addressed by ESNI[1] and ECH[2]. Hopefully ECH will continue being more widely deployed.

[1] https://www.cloudflare.com/learning/ssl/what-is-encrypted-sn...

[2] https://blog.cloudflare.com/encrypted-client-hello/