By tiered flat fee, does that mean that if my little website was DDoSed, they'd stop serving traffic once the amount of data I've paid for is used up? I'd be fine with that. Being billed for more than the data I wished to pay for would mean doom.

You can also get dedicated server from them. I was hit with DDoS of about 40Gib/s, the filtering kicked in, users still were able to use website.

NearlyFreeSpeech seems to fit your needs:

https://www.nearlyfreespeech.net/

NFSN, while neat, is not a CDN.

Yes, if you exceed the bandwidth, they revert the DNS back to whatever the defined back end is.

Is there an option to not revert DNS but instead to just temporarily remove the DNS records or something in case one doesn't want the IP addresses of the origin servers revealed?

Not that I can see in the documents, but I imagine you could handle that yourself by not serving traffic if the request body doesn't have the appropriate proxy headers.

I have my origin servers firewalled to allow only traffic from CloudFlare servers and would do the same in case I switched to OVH, but even so it would cause a lot of trouble if the origin server IP addresses were revealed since this would let the attackers target the network I'm on directly.

That link goes to their CDN offering for me. Do you have more info about their ddos protection?

They don't have documentation on how their DDOS protection specifically works with the CDN, but there is this:

https://www.ovh.com/us/anti-ddos/