The article leaves the question of "who" open, but the latest gist comment puts it in perspective (emphasis mine):

In all cases, we can see the headers set-cookie, server, cf-ray and expect-ct with values set by Cloudflare, which would not be possible if TLS termination was done directly on matrix.org/vector.im servers.

Unfortunately the "Grid" project which claims to want to resolve the privacy issues in defaults and docs seems to want to re-architect the protocol, instead. From a year-old question on the project's status (emphasis mine):

Grid is definitely not stalled, but all the work is currently happening between people who are exchanging and trying new things on a test network. Once we have conclusive data and an API we are happy with, we will update this repository. It will happen at some point this year. It is simply not the only project we are working on, so it all looks slow/stalled from the outside, but it is actually not. At some point there will be an update. But the network and the protocol is in use at the moment, if that can reassure you.

BTW, that gist the article links to is apparently an old version, and the new ones are at https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org/-/tree/master/. And that's a year old. Even chasing down updated docs from these people is tedious. No wonder their code is absent.

All I want is a doc that details how it is and isn't possible to secure a server and client, what you configure and what you patch. Give that a name to fork it, sure. Instead, these are just treatises and blog posts. Many such cases.