I have the opposite problem btw where our security team sees a rise in bot activity and IP Protection/threat scores from Cloudflare group Googlebot as "malicious bots" - won't be the first time a CDN and/or humans made a change and a CDN treats a search engine bot as malicious, so you're good!
1. If goodbots are looking at resources that just really don't matter, remember you have robots.txt in your arsenal.
2. You have Cloudflare enterprise logs - do you have access to cloudflare analytics as well? It'll help you catch scary things like search engine bots that get 403's (usually the sign of a bot challenge) - it'll also help with #1 though technically that's not your job (identifying malicious bot traffic and blocking them - I know it's annoying that sometimes it escapes into analytics)
3. Every now and then we'll get a crawler that is actually Googlebot but not on their list of ranges - but it's a great idea to just allowlist all these Google IP's. CDN's really should be giving 5xx or 429 status codes when they're overloaded, but they don't always do that (something I'm working on actually)
Hope that helps!