Worth noting that a surprisingly common amount of sites have other sections of their site which are not routed through Cloudflare. Look for instances of DNS records like this:

    admin.example.com

Such a record is usually not routed through Cloudflare because the last thing a webmaster wants is to solve captchas for their own website. They don't however care much for their visitors if they're subjecting (possibly a substantial amount of them) to captcha solving nonsense.

The content in the non-cf sections of a site can still be accessed because the webmaster is lazy and didn't care to check if a visitor can do a DNS DIG on all their DNS records.

Or you can simply use TOR pluggable transports to pretend you're Googlebot, and also hide all your traffic in Google-like traffic.

I would reserve this for rare cases as there are people in censorship prone countries who really need this bandwidth :)

The pluggable transports are for connections from your Tor client into the Tor network, not connections from exit nodes to the rest of the Internet. Cloudflare (or any destination host) would still be able to detect your connection as originating via Tor.

Pluggable transports are intended to stop your local ISP detecting or blocking your connection to Tor: https://gitweb.torproject.org/torspec.git/tree/pt-spec.txt

While I agree that you can mask your exit from the Tor network via an additional proxy or VPN, that's not the role of pluggable transports. They're only for connecting in to the Tor network, not out from it.

A tremendous amount of (very difficult to mimic) dexterity is still required for cleaning toilets, last time I checked.