I mean what makes a ddos service legitimate? Plus security is an endless cat and mouse game and asking the cat what the best way to catch a mouse is may not reveal the same information as asking the mouse how they evade the cat.

There might be too much friction to get someone working for a site to be able to prove it which will reduce sales. It's simpler to just use the legal system to enforce it by putting it in the terms of service.