IPs blocked automatically by my firewall are all from Cloudflare

I have a website that uses Cloudflare, in my host level firewall I have noticed that all IPs automatically detected as malicious are identified as "owned by Cloudflare" and I don't know how this is possible.

Does this mean that simply Cloudflare blocks all others malicious attacks but is unable to filter bad actors to perform attacks hidden by their CDN services?

...or these could be false positives caused by some Cloudflare action itself? and in case how could I avoid this?

I think the most important take here is that whatever you use to block things on your end ought to operate on the HTTP layer and base what it does on XFF or similar HTTP headers (see Cloudflare's documentation on restoring visitor IPs), rather than the connection source IP as that will just start blocking Cloudflare's proxies in that kind of setup.

As for your question, I think some variation on your first suggestion sounds more probable; that is, I would think it's client traffic that causes this.
If you want to determine if those are false positives, you would have to investigate the specific requests that trigger this.

But again, the more urgent step would seem to be the first point I made, which would at least stop you from blocking Cloudflare as that may affect all visitors, not only those who do whatever it is that trigger your blocking (whether legitimate or not).