I don’t know where posts are coming from when I see them online. We can only guess at the specifics (which will hopefully be released when there’s time for an after-action report) but presumably cloudflare may be able to see ip addresses and have some idea of location. If someone posts “I’m coming to kill you” a dozen times but the ip is in Europe and doesn’t appear to be a VPN then that’s less cause for concern than the same posts made by someone with a residential ISP ip that’s half an hour away from the target.

Of course that may not at all resemble what happened, but you are incorrect to believe the cloudflare doesn’t have a privileged position that allows them more information.