That doesn't actually create a properly encrypted connection. It only encrypts between the user and the site (at CloudFlare), not between the site and Github. Without that last hop being encrypted, you have to weigh whether this is an improvement or not.
Yes it does - this is all a setting you can choose and since Github does support HTTPS (and has for a while) you can always set it on "strict" and ensure a continuous encrypted connection on both sides of CloudFlare.
But what certificate will Github present for your custom domain? I don't think you can tell CF to accept Github pages's cert for your own domain. They either use their own CA or don't do auth, right? At least on non-enterprise plans.
It significantly decreases the attack surface, since most of the connection will be encrypted inside CloudFare's network or over HTTPs. Should be a clear win for most cases.
You can now actually use CloudFlare to issue a custom certificate for your origin server that it will accept (CloudFlare Origin CA), but of course GitHub pages won't support installing it.
