He's saying that he suspects CF is slowing his pages down instead of helping him. So if that's the case, the only way to confirm that assumption is to test it. Testing needs to be done with it both on and off.
Regarding exposing the origin... it was exposed before being moved to CF. It's not adding any additional risk that was not already there a few weeks ago.
Regarding testing caching... PMs, ModCP, etc... ALL of those areas require being logged in. If you're logged in... base pages are not being delivered from cache if you've set the cookie values provided by IPS to be ignored. And you can do it with a free plan. It's been explained how to do it already. 🙂
CF API support is not needed. Create the rules defined by IPS already for what not to cache (some specific path values along with 2 cookie values) and you don't have to do anything else.
99.99999% of people don't need local guest page caching. Especially those folks who are setting cache to less than 10 minutes. Unless their site has thousands of concurrent users, it's not needed honestly. So in most cases, the solution is just to do nothing and let the old feature be deprecated. For those that want the value of caching, there are CDNs. And yes, instructions have been provided. 🙂
The cache headers don't specify what can be cached or not. Those are defined in the cache rules. The headers specify how long objects can be stored in cache. For example, base pages should be cached for 15 minutes while CSS/JS should be cached for a year (since IPS automatically renames these files each time a theme is generated), etc.
IPS has been using proper cache control headers for awhile now. In fact, it's been in use on this community here for several years now.
Here's a sample of the headers from an image on this site:
accept-ranges:bytes
age:175880
alt-svc:h3=":443"; ma=86400 cache-control:public, max-age=31536000
content-encoding:gzip
content-length:58464
content-type:text/css
date:Fri, 04 Nov 2022 14:12:53 GMT etag:"7826cec1f91163ffee9f5134a50a4658"
last-modified:Thu, 03 Nov 2022 22:25:00 GMT
server:AmazonS3
via:1.1 aeb4230d4287e12c8862574307ac71a2.cloudfront.net (CloudFront)
x-amz-cf-id:amIQ-EX7iZSTMXVsK88VuD-MAcUupJw7TgKZENPBS4wENhxh17anvQ==
x-amz-cf-pop:MIA3-C2
x-cache:Hit from cloudfront
The cache-control line specifies the type of content and how long it can be cached. The content encoding line says to try to gzip the output to reduce the transfer size. The etag line allows the CDN to better match if content has been changed by matching an ID value of the file instead of trying to get a file and compare it after the fact.