End-to-end secure, but only against passive attacks. Cloudflare "Full SSL" (as opposed to "Strict SSL") does not verify the certificate presented by the origin server, so someone sitting between Cloudflare and your origin can still MITM the connection without detection. Strict SSL does not currently work with GitHub Pages, because "*.github.io" certs do not match custom domains.
We're working on making Strict mode work better in such situations.
For example, if the origin server presents a certificate with a SAN for *.github.io and you have a CNAME to yourusername.github.io, this will (soon) validate as Strict.
That's great news! I've been hoping Cloudflare would allow customized cert validation (i.e. the user specifies a domain name to verify against, in the control panel). At least the improvement you mention will increase compatibility with GitHub Pages and others.
https://www.cloudflare.com/ssl/
https://github.com/isaacs/github/issues/156#issuecomment-110...