How would you do that without handing over your private keys? Otherwise gitlab couldn't serve your site. Also, as soon as you point an A record of your domain to somebodies server, they're able to get valid certificates through acme (which is probably what they do). If you don't trust somebody, don't point your domain to them.
If your goal is to tick a compliance box saying "no third-party has access to our private key" or "our private key never leaves our DC", then they have it figured out. If you want an additional barrier between your web server and your private key for Heartbleed-like vulnerabilities, this is also viable solution.
If your goal is to have end-to-end encryption between your server and a visitor, or hope this is going to protect you in case CloudFlare or GitLab are owned, then this isn't a real solution. CloudFlare has access to your session keys, and if they're owned, those can be logged and used to decrypt traffic. Even with a leaked private key, older sessions would be safe thanks to PFS ciphers, so Keyless SSL doesn't really change anything here.
It's entirely possible that GitLab could integrate Let's Encrypt and generate their own private keys. Some large shared hosting providers already do this (e.g. DreamHost).
Keys are cheap and plentiful, just regenerate & reissue however often you like. The paid CAs I've used do free reissues with new CSRs no problem. You are already trusting them to serve your site so adding a private TLS key isn't a big deal.
The only downside I could think of is if you are using HPKP with a long duration, you could have issues with rapidly changing keys. But I wouldn't expect GitLab Pages to support setting those headers so probably another non-issue.
