I haven't seen an attempt by Cloudflare at claiming that this definitely didn't happen. They may still be working on it. It's possible that the question is basically unanswerable even with logs.
As you say, in the presence of uncertainty it's most prudent to assume that this actually happened.
They seem to be presenting some dubious calculations made to imply that it was highly unlikely to happen.
The reason why I consider them dubious is that anyone simply searching the name of some HTTP headers in Google et all could have stumbled into this. I don't find it at all unlikely to happen in a timespan of 5 months.
The odds that Google had the first team of researchers to trip over the bug is low. But we know that they were the first team to disclose the vulnerability, and the only reason not to disclose it is if you wanted to exploit it.
So the key question really isn't "how likely was someone to find this", but "how likely is it that Project Zero was the first". I think it's hard to estimate odds, but I'd be surprised if it was even as high as 50%; there's too many teams, individuals, freelancers, state actors, etc. actively engaged in looking for this kind of thing.
Many people probably tripped over the bug but didn't know what it was.
The data it reveals isn't guaranteed to be obviously private and exploitable. It can just look like a valid but useless response, or a invalid and corrupted response depending on what you were looking for in the first place.
At this point we can mostly disregard what they claim did or did not happen, considering that they also claimed that all leaked memory had been purged from search engine caches.
As you say, in the presence of uncertainty it's most prudent to assume that this actually happened.