Given the resources required, I'd expect a good DDOS service probably has a reputation in the industry, plausibly some sort of certifications, etc. - selling an easily mis-used service requires a lot of protections

Conversely, this site proudly advertises that it has zero "Know Your Customer" restrictions, bypasses Cloudflare protections, etc.

Quoting the site directly: "Some popular use cases are taking down competitor websites, creating unfair advantages in games and personal agendas."

Even their CYA disclaimers are flimsy: "We simply ask to only use our tools on infrastructure that you own or are permitted to attack."

Not "Require", "ask".

And that's diligence that Cloudflare would need to enforce on every single site they have?

This one is fairly obviously bad, but some will be more ambiguous, and I wouldn't expect Cloudflare to be the one policing them all.