pull down to refresh

You'll see Cloudflare are aware of this potential problem (of capturing this single feed) in the section named, 'Security of the LavaRand Service'.
In every other case, the malicious entropy feed controlled by the attacker is mixed with a non-malicious feed that the attacker can neither observe nor modify. As we discussed in a previous section, as long as the attacker is unable to predict the output of these non-malicious feeds, they will be unable to predict the output of the entropy feed generated by mixing their malicious feed with the non-malicious feed.
I had the same question, but it looks like they've got it covered.