The Tunnel daemon creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center, all without opening any public inbound ports.

From https://www.cloudflare.com/products/tunnel/

The answer depends on how you’re serving your content. Based on what you’ve described about your setup, your content is likely served over HTTP through the secured tunnel. The tunnel acts like an encrypted VPN, which allows unencrypted content to be sent securely over the wire. This means although your web server is serving unencrypted content, it gets encrypted before it goes to Cloudflare, so no one along the path could snoop on it.

The tunnels are encrypted. But I don’t know if they use SSL or something else.

You should be able to set it up, which seems to be the crux of your question.

The reason for the conflict is likely that the traffic is encrypted through the tunnel, but cloudflare holds the certificates needed to verify the identity of your site and can see all the traffic.

But tunnels are done by having your server initiate the connection with cloudflare, so it behaves like a client in terms of networking, and it should work in most cases.

(Worth noting that video was against their policies for using at least the free tunnels last I was aware, so if that’s part of your use case you might not be able to use it.)

What you read online may have been referring to how cloudflare itself can always see the unencrypted traffic?

Cloudflare tunnels are encrypted, but inside of that encrypted tunnel could be a regular http stream.