I have in the middle of thoughts of moving out of AWS and having a dedicated provider as our billing has increased a lot with the scale. The only thing which was holding me was the uptime confidence. Now I feel it's not a bad idea.
May be its bad implementation of cloudflare. Cloudflare doesn't do javascript check if content type is xml in headers unless you explicitly want it to do.
RSS feeds and similar URLs should be excluded from security with page rules.