OK, you're willfully missing the point because we're talking about the position relating to Cloudflare's security services, not hosting or other products that have have a more restrictive TOS.
As far as they do mention activity, they do say they ban content related to activity that is, for example, "libelous". So they'll block you for publishing insults about someone, without any further malicious activity.
They also say that they ban content used as part of malware command and control, which seems to cover spamming, meaning that they should have no problem blocking spammers trying to use their "security protection" service.
Of course it turns out I don't even have to use the analogy with spam because CloudFlare's own post that you linked to clearly states they can remove access to content that is "... harmful, or violates the rights of others, including content that discloses sensitive personal information, incites or exploits violence against people or animals ...".
That's literally been KF's modus operandi for years now. Unless CF changed their terms very recently, that behavior of KF has always been proscribed. Yet CF saw fit in their discretion to make a conscious choice to continue aiding and abetting KF in its campaign of doxxing and incitement of violence, something far worse than libel or C2.
> As far as they do mention activity, they do say they ban content related to activity that is, for example, "libelous".
You're again missing the distinction between their hosting policy and their security product policy. This was the important distinction that I first pointed out to 2 comments ago, and that I posted this document which explains clearly 1 comment ago.
> Hosting products are subject to our Acceptable Hosting Policy. Under that policy, for these products, we may remove or disable access to content that we believe:
...
> has been determined by appropriate legal process to be defamatory or libelous.
...
> Our conclusion — informed by all of the many conversations we have had and the thoughtful discussion in the broader community — is that voluntarily terminating access to services that protect against cyberattack is not the correct approach.