Pushing agent workflows over email has some risks not present for HTTP. Transit security is still a problem for email as we're stuck in the opportunistic encryption stage. If you decide to use email-based agents, look into MTA-STS as a way to prevent downgrade attacks. It looks like Cloudflare supports this, but it isn't enabled by default or called out in the on-boarding process.

https://developers.cloudflare.com/email-routing/setup/mta-st...