Just my perspectives (somewhat pessimistic and speculative)....I think mostly my browser security is the reason for my Cloudlare grief. Being detected as a Tor connection likely get's me put on Cloudflare's high risk list from the start, compounding the problem.

Torbrowser comes pretty locked down, with many customization under the hood. I typically throw a few security add ons on top, like uMatrix, where I become aware of and manually control many aspects of websites. This said, I still had problems when disabling them.

Tor is super usable compared to many years back. This is mostly due to a large increase of Tor nodes donating their services. This may be due to the large increase in censorship and oppression becoming recognized back then.

I've fought many of those old captchas that were nearly unsolvable. I still would prefer them (as long as they weren't training AI for war and anti democratic oppression), as the alternative is de-anonymizing fingerprinting.

When it comes down to it, you can't stop the fingerprinting. Websites and services ensure that most things that even slightly obscure doing so are service breaking. Yet, fingerprinting is far and wide. They fingerprint 100's of aspects of your browser, but then also your operating system, video card, monitor, and other hardware, your network, and hops outside your network...it is endless. Their fingerprint-printing no longer needs done by home-brew by these large companies, they will just pay for a finger printing service to be integrated, one that is constantly updated with the latest techniques, always keeping ahead of the curve.

This is a huge security and anonymity risk, since all the big companies started working together to collect "anonymized" data, then trade/share/sell it to each others, where the big players with enough data and other unique side-channel attacks, provide de-anonymizing of that data as a paid service.

I like Librewolf. Palemoon, and Brave as some browser alternatives, especially since I can't stand to use Mozilla Firefox or Chrome anymore due to the massive amount of spying and data collection build into them (we mentioned unique side-channel attacks for de-anonymizing right?).

Although I use them sometimes too, the problem with paid VPNs is that I'm sure most are forced to share their user data with and by government, like I'm pretty confident all those companies working together to collect all of everyone's data are compelled to do as well. The US government got caught spying, which was illegal, so now they forced companies to do it for them. For plausible deniability and to push through Trojan horse laws that legalize their spying, while appearing to be blocking it, they always ensure to permit "anonymized" data collection...then pay Oracle for data de-anonymization services.

Even if VPNs are tight lipped, like with Tor, a VPN user is easily de-anonymized through the fingerprinting and sharing of data. This type of side-channel attack is used all the time by the NSA, which doesn't need to control anything. Yet, it is great to just outsource that to otherwise massive and unprofitable companies, who's products are almost all free. This way, the NSA can focus on their internal tools, like automating and analyzing the spying over every human, so they don't need to decide if they care or not.

Those OCSP queries to verify HTTPS certificates are a double edged sword, as they leak every domain you access to yet another data collecting party. Yet, you are probably a sitting duck for MITM attacks if you don't use it while putting your proxy through a marginally trusted VPN, Proxy, or Tor node. Personally, I have very little confidence in the SSL web of trust, but it suffices for most stuff. The whole security of everything relies on SSL, so you can be sure that it is completely compromised by government intelligence agencies at the very least, which ensures that it won't get fixed, even if average actors keep pace. They have a long track record of allowing the public to be insecure en mass to protect their ability to exploit that. Between their involvement in developing various used encryption ciphers, key exchange methods, the age of SSL concepts, and the mangled mess of the SSL web of trust system that no one can verify, it's hard to feel confident. The worst part is the web of trust relies on the web. We've seen many new and exciting IP spoofing and web traffic redirecting tricks which are usually targeted at SSL certificate verifiers. BPG backbone stuff is all black-magic that surely is an open secret of fundamentally broken security design.

Yet, who needs to do all that work, when every operating system and browser is stuffed full of 50+ extremely questionable certificate authorities pre configured with full trust. On top of that, you might notice the massive, complicated, aging, and very centralized monopolistic software and libraries that implement SSL. It is surely garbage when it comes down to it, based mostly on the software size and complexity. If your security apparatus has a bazillion features, most of them antiquated and insecure, then it can be guaranteed to be insecure.

I really like some simpler and more strait forward software and libraries for public/private key encryption, like Curve variants, and I hope they are secure. Yet, I'm not very trusting, as they seem mostly a fancy implementation of the same concepts. It has a largely hand-wavy feel to it. When it comes down to it, any secure cryptographic algorithm is rapidly becoming insecure simply due to the massive processing power that can be obtained to crack it. Throw on top the endless discovery of new short-cuts to cracking each algorithm, and it narrows greatly.

Since messing up an LUKs encrypted hard year ago and finally getting around to cracking it, I've learned that the tools make an encrypted hard drive require a 20+ character password to be above child's play to crack. The word part, is with access, someone can copy just the few kilobytes of drive header to a thumb drive, take it back to the home system (or spin up some rented cloud processing) to crack it. Then simply come back later and type in the password.

Free Socks 5 proxies always suck. Most of them are honey pots by scammers anymore, the others are likely scraped from paid proxy services and will stop working quickly. Yet, many VPNs will give you a Sock5 proxy to access through the VPN, but that seems to be getting harder and harder to come by. The VPNs would rather you install their questionable app to collect all your data, than give you a simple Socks 5 tunnel.

I remember making Proxy Testers to pump large lists of Socks 5 proxies through, so many decades ago, as most software very suspiciously did not support authenticated Socks5 proxies for a very long time, like all browsers and IRC clients. When security is oddly suppressed and made difficult, you can probably assume that it is outdated and no longer helpful, once it suddenly becomes easily available. I don't bother with a SSL cert on the archive of the proxy scanner project any more, since my domain host had a weird incident where I couldn't pay and squatters got my COM domain. They've parked it for nearly 20 years, so I guess it has been a pretty unprofitable squat. I switched domain hosts for dozens of domains since then, steering entire companies away, as I suspect they were complicit in destroying of my free and open source web legacy. Probably just as part of their scammy pay us to offer to buy it back your squatted domain, solution to the problem.

..yeah the illusion of security urks me, sorry for the rant.

I've heard many experienced individuals thumb down VPN's because they're not anonymous, and many will tell you they could be honeypots. i think remaining anonymous is super hard to do if you're on the web. It's a lot of work.