I use CF tunnels pretty extensively with my home unraid server.
The TL;DR is this - there are certain apps I host that I want to be public and don't want to onboard a Tailscale node (for example my sister uses my Plex server). So, instead of setting up a reverse proxy, I simply create a subdomain in DNS (via CF) and then route that subdomain to the CF tunnel.
It's like 3 form entries to do all of this for one site/service and automatically creates an SSL cert for me. I love it.
Out of curiosity why not give your sister restricted access to your tailnet instead? Then nothing is public.
Fuck Plex, by the way. Good on them for building up and turning themselves into a streaming service of sorts. Add value and I'll pay for it. But suddenly one day your free mobile viewer app updates and requires payment to stream your own mp4 files? Seriously, they can go to hell. No one streaming movie files to their family is doing so because they love paying middle-men, by the way. And no core function of Plex can't be done freely.
I would just prefer to not have to public expose a service for a single user. In my case when sharing an image server to family it has been easy enough to walk them through installing tailscale on their windows desktop that they use. I love adding friends and fam to my tailnet. It then also makes it easier to log in and troubleshoot their issues later too.
It looks like CFs solution for restricted public access is CF access controll, but thats still publicly exposed. Their non-public option is WARP, but that requires installation on the client machine. At that point your user setup is even harder then tailscale.