You’ve already taken a great step by setting up Cloudflare tunnels, as that will obfuscate your WAN IP, but a common mistake I see a lot is having another random device on a network that is perhaps using a DDNS that doesn’t obfuscate A records or something like that.
Basically, just make sure everything that is public/internet-facing is going through CF tunnels and you’re as protected as you can (reasonably) can be - from that angle at least.
Keep in mind though, this just (largely) prevents one vector of attack - through your WAN IP - depending on your set-up, you could (and likely do) have other ways of penetration to get into your network.
I am a big proponent of getting something like a Firewalla to mitigate many other vectors. They’re bit pricey (though for their capabilities relative to other “off the shelf” devices, not really, I suppose) but largely hands-off.
I would consider time a pretty major resource…and yes, you are correct I misspoke/typed. I meant public IP, not host IP…
Anyway, the point is not to prevent all attack vectors (which is impossible, unless you’re totally offline/air-gapped/etc), OP wants to minimize the probability of infiltration. So to get back to the question, yes CF tunnels help with that when implemented correctly.