No, it isn't. This is Cloudflare passing exposing metadata when it really shouldn't. Having a configuration option or a origin response header akin to CloudflareCache: private or something is trivial for them to implement.

The same information would then be available in the timing, but given the distributed nature here, that would be a lot harder to pull off.