Until encrypted SNI/encrypted client hello is a thing, the hostname is still sent in the clear.

Also, it can still be DNS blocked - just because you use Cloudflare's DNS doesn't mean they can't rewrite the responses as they still transit unencrypted. You'd have to use DNS-over-HTTPS or DNS-over-TLS to work around that.

If it's TLS1.2, certificates containing CNs and/or SANs are sent in the clear too.

Luckily, ESNI is being supported by an increasing number of implementations.

I believe China's answer to ESNI is just to block all traffic that attempts to handshake with ESNI, so it still won't necessarily get you anywhere.

Once everything is using ESNI this isn't a problem anymore. It's the lack of implementation that is currently the problem.

Maybe it's actually SNI.

not op, no idea how they do it but they COULD look at the SNI in the client hello