They do it for lots of right reasons, I'm sure, but they also do it based on simple claims. While I thought that's a great way to hurt any site if such a claim is all it takes, I haven't experimented with it, so I don't know if you have to make it a legalese thing, or if they do some automated checks. But once you get a site flagged, it'll probably stay so, unless they have some very good connections to CF.
They will forward any complaints also to the hosting company of the origin, but if you're not in luck, the site will be hosted at a questionable company that has no trouble hosting phishing sites. Hetzner for example did quickly react and requested comments from us under threat of shutting down the server. They were happy with our response and their own checks however.
Still, I agree that they should have a way of de-anonymizing who is behind a site, their business is in protecting against technical attacks, not protecting against the law.
By contrast, this is the email that a MAANG company received recently regarding a site being reported for phishing one of their login sites:
So I guess they are somewhat arbitrary in their phishing actions.