It depends how you wanna bypass it. (https://roundproxies.com/blog/bypass-cloudflare/) e.g. I found out that they track TLS, HTTP headers and Javascript JS fingerprinting. There are def some ways, personally using browsers but yeah. maybe take a look at that guide above foudn that helpful as a good starting point tho

Plenty of ways to leak the original server IP address if it isn't really well hardened against that (and most aren't).

Like? Aside from scanning DNS records (assuming the protected IP is in there somewhere) or scanning the entire IPv4 (assuming the server responds to non CloudFlare requests), I can't think of any. And both methods are simple to protect against.

Some of it is tradecraft, but have two: SSRF bugs/features and chatty email headers.

Right. Still a far cry from "anyone can bypass CloudFlare" though.