If your goal is to tick a compliance box saying "no third-party has access to our private key" or "our private key never leaves our DC", then they have it figured out. If you want an additional barrier between your web server and your private key for Heartbleed-like vulnerabilities, this is also viable solution.
If your goal is to have end-to-end encryption between your server and a visitor, or hope this is going to protect you in case CloudFlare or GitLab are owned, then this isn't a real solution. CloudFlare has access to your session keys, and if they're owned, those can be logged and used to decrypt traffic. Even with a leaked private key, older sessions would be safe thanks to PFS ciphers, so Keyless SSL doesn't really change anything here.
If your goal is to tick a compliance box saying "no third-party has access to our private key" or "our private key never leaves our DC", then they have it figured out. If you want an additional barrier between your web server and your private key for Heartbleed-like vulnerabilities, this is also viable solution.
If your goal is to have end-to-end encryption between your server and a visitor, or hope this is going to protect you in case CloudFlare or GitLab are owned, then this isn't a real solution. CloudFlare has access to your session keys, and if they're owned, those can be logged and used to decrypt traffic. Even with a leaked private key, older sessions would be safe thanks to PFS ciphers, so Keyless SSL doesn't really change anything here.