Why do CDNs allow arbitrary backend to be set, is it not a big security concern?

I found most CDNs allow the user to claim any domains to be the backend, I wonder why they do this instead of verifying if the user owns the backend domain. If I have myowndomain.com and set the backend to be facebook.com, wouldn’t it be an easier way to do attacks such as phishing? Of course, I still need to solve CORS, SOP, and Cookie related issues, but why do CDNs open the backend at the first place?