To clarify, do cloudflare hold the certificate for this site or does the actual site's server posess that? If cloudflare hold it then that's a great issue for anyone in the US (for people outside, it's an issue but not as big as a problem) though the US intelligence agencies seem even worse than places like the UK for keeping their secrets secret.
It could result in private information about you, such as your IP address being released to the government. It could also result in your PMs being released to the government.
The lack of needing a warrant means the process is ripe for abuse by the government. If for example, you are speaking out against the sheriff, the sheriff could go on a phishing expedition to look for illegal activity and then arrest you on a small technical violation of the law.
You could always switch to a service like tor but that is immensely slow at loading (not sure if there are any good fast and free services that you can use for a vpn/proxy).
It might be worth it for the forum to consider other DDoS protection services. Not all of them are in the US (EU actually cares about privacy!), and some have different methods of DDoS protection. It might be worth it to consider whatever ProtonMail uses (don't recall the exact company, and too annoying to find on mobile), as I believe everything is still encrypted when they're under DDoS. ProtonMail also only forwards traffic to their DDoS defense when they are under DDoS; it's a direct connection to their servers otherwise.
There's a London based cloudflare and other cloudflare offices in mainland EU I think those could be used (not London though due to the IP act).
A direct connection to the server is also a good idea but I don't think theymos would particularly like that idea as it has a likelihood of being abused and the Bitcointalk server isn't a powerful as the ProtonMail datacentre.
It's a shame none of the admins/moderators don't have a mining pool that we could hide behind (gigabytes of data being transmitted per second would be a nice thing to hide behind as no one is going to want to screen all of that just to pull out the packets for this server).
There have been multiple suggestions of having paid-for direct access to the servers which I wouldn't be apposed to paying say 0.01
BTC a month to access the server directly from my own private socket into the server (possibly make it so that transmission has to be encrypted with a sort of private key/public key pair that each user randomely generates every month - unless that's too much of an advanced thing to try to incorporate).