>Therefore it is as easy for Heroku (Salesforce) to man-in-the-middle your application as it is for CloudFlare
Heroku owns your server and can just as easily read your database off disk and/or your webserver process's memory. If you don't want to trust an infrastructure provider, you need to have physical control of your server. Such quibbles about architecture are deck chairs on the Titanic.
In one sense that's true, but as they say in the security field, the fact that someone could break down your home's front door with an axe doesn't keep us from locking our doors. Even if you generally trust your infrastructure provider, there's still no harm in considering the different layers at which you are and are not protected from certain attacks. For example, a single rogue employee might be able to do some harm in one area, but not another.
Heroku owns your server and can just as easily read your database off disk and/or your webserver process's memory. If you don't want to trust an infrastructure provider, you need to have physical control of your server. Such quibbles about architecture are deck chairs on the Titanic.