They should have just figured out a way to add a user id parameter to the DNS resolver and let users configure which sites they want to censor, ublock-style. They would have able to get better-than-google level of analytics data collection since DNS covers stuff like apps and local software beyond browsers too.

Since DNS already have some id fields, here's how they can potentially implement it:

When the user sign up and add devices, have them visit a unique subdomain to "activate" the device. On the load balancer level the device should be fingerprinted and stored, I think their VPN product already does this so it should be quite straightforward. Every DNS query can now be matched against a custom block list. Of course this would take more server resources. Cloudflare can turn this into a business opportunity by offering tiered plans, with higher level plans so that users can choose what to censor based on their own brand of politics, instead of a third party corporation. Or perhaps they can simply recover the additional server costs through selling analytics.

What an evil product. It's not just "oops, what a cock up". Sarah's brief testing shows it clearly blocks gay support sites en-masse, but permits most well known nazi sites.

Clearly no diligence was done at all at Cloudflare. The entire idea of filtering for "adult" content at the DNS is fundamentally flawed, and clearly they just assumed they could buy something instead of realising no such list exists that isn't irredeemably toxic.