Why is my naked domain working when I only configured the www?

I set up my domain on heroku/cloudflare. In my heroku settings, my domain is listed as www.my-domain.example. While testing and iterating on configuration, I removed the other entry I had previously added for my-domain.example with its own DNS target from heroku.

On cloudflare, I have two DNS records. One is _domainconnect since my domain is on Godaddy but is pointed at Cloudflare's DNS. The other is this:

CNAME    www    <the DNS target provided by heroku for www.my-domain.example>

I expected my-domain.example to not work, but it does work. It just redirects to www.my-domain.example.

Why is that happening? It's doing the right thing, but I want to understand it so I am better able to handle future issues.

Edit: Wait, it's different from one browser to the next.

In Chrome www is secure and naked redirects to www.
In Safari both www and naked domain are marked "Not Secure".
In Edge, naked domain doesn't load at all while www is Secure. But once I've loaded www, naked redirects to www.
In firefox neither one loads at all.

What is going on?

I added the naked domain back into the heroku list and made a CNAME entry for it on cloudflare, and now edge and firefox work. Safari still marks the site Not Secure both ways. I'm rather confused.

I don't know what you've configured, but your DNS servers reply fine for both cardtavern.com. and www.cardtavern.com:

[~]$ dig cardtavern.com +short
172.67.148.182
104.21.29.91
[~]$ dig www.cardtavern.com +short
172.67.148.182
104.21.29.91

Cloudflare happily serves content at both http and https, with and without www.