They don't have the private keys so they can't use it to monitor your users or decrypt the communication, they are also switching off OCSP stapling which could be theoretically used to monitor who is accessing what. The only issue is that they can issue/be forced to issue another certificate and honeypot your users... They will probably do that if forced by a judge, and if not them another cert authority probably would.

Much much much bigger risk is Cloudflare which has access to all the traffic, completely unencrypted. Their service is essentially Man-in-the-middle.