[SpicyLemonZest]

In that hypothetical I'd grant that the answer is clearly yes, but it's not obvious to me how DDOS mitigation would help a company stay out of reach of law enforcement or regulators, unless Cloudflare is refusing to comply with subpoenas for customer information.

[luckylion]

For most of the world, that's what it does: it only answers to US courts [1]. I'm sure you can imagine that this will only be a way for major crimes (murder, maybe, state level espionage and large scale ransom ware attacks, probably), essentially shielding all the common criminals like DDOS-for-hire from prosecution outside the US.

From their policy:

Cloudflare has long held the view that non-US governments should have to follow the same due process requirements to obtain any records about our customers. A number of US laws, like the Stored Communications Act or the Electronic Communications Privacy Act restrict companies from providing particular types of data, such as the content of communications, to any person or entity, including foreign law enforcement agencies, without US legal process. While there may be situations in which it might be appropriate to provide basic subscriber information in response to non-US legal process that complies with principles of due process, we generally believe that the best way forward at this time is for governments outside the United States to issue requests to us through a US court by way of diplomatic process like a mutual legal assistance treaty (MLAT) request.

[1]: https://www.cloudflare.com/trust-hub/law-enforcement/