Cloudflare is the safest in that you can use Cloudflare tunnels to somewhat hide your origin.
Otherwise your origin is still public and there are ways to find out and attack it (bypassing Bunny) easily.
Cloudflare also has a WAF that Bunny says is coming soon (doesn’t apply to DNS only).
Bunny DNS is a relatively new product so it’s not as well tested.
BunnyCDN DDoS protection is made to protect their servers and the customers, it's not meant to serve your service as a shield against attacks.
This is a common misconception with many providers, they have DDoS protection to ensure that an attack against them won't cause your website/service being unavailable, however, if an attack targets your service, it most likely won't be filtered by their system.