In regard to enterprises, they don’t give a rats ass about any potential intellectual property theft. That risk has been written off. What matters is compliance and security.
Not having DDOS protection in place can potentially have legal consequences and can be very costly. DDOS protection is either investing millions of dollars in equipment or offloading that responsibility to a company like Cloudflare.
That's true, I didn't specify the circumstances.
In the case of overt IP theft, the contract is the mitigating factor.
However in the case of convert IP theft through systematic, transparent surveillance of traffic (what OP is alluding to), it's something that you cannot really mitigate apart from just not being digitally present. Cloudflare is a player there, but so is any ISP and nation state who is curious enough. To be on the internet, you have to accept the risk that systematic surveillance can impact your intellectual property.
In some cases, your mitigating factor is the law. But it's really difficult to prove that Cloudflare might be sniffing your data and using the IP unlawfully and it's downright impossible to prove that the NSA or foreign intelligence is using your IP.