>I find it very difficult to believe they won't remove sites involved in clear phishing or malware delivery campaigns, if they can verify it themselves or in cooperation with a security team at a company they trust.

You may find it difficult to believe buts its true. Tons of phishing and malicious websites use CF nameservers to prevent ddos attacks and etc and Crimeflare will not terminate their access or accounts when reported for the reason I stated above. Even if it's something obvious like coinbase-account-login.com or etc. they do not give a fuck.