They will essentially be an MVNO, yes. It doesn't address security much though - the carrier's infrastructure still needs to be trusted and there is no end-to-end encryption between the mobile device and Cloudflare (you'd still need an on-device VPN for that - this is a limitation of the mobile protocols; the network is considered trusted and is given access to the traffic). The eSIMs that Cloudflare uses also need to be properly segregated away so that the carrier's customer support people can't reissue those SIMs, which they can technically do as they are still considered the issuer and their system is in control of the issuing process.