Yeah, but that's not what happens with this small German ISP my parents use, which was started because some people and local businesses really got disgruntled at the pricing policy and lack of true broadband by the Deutsche Telekom. This thing is essentially run like a non-profit, the little they make in profit meant to be invested into the company again not to make some investors happy, and is majority owned by the city-owned municipal utilities company, with the rest of the ownership I believe in the hands of some local businesses (some of which quite large) who needed broadband but couldn't get it or only at astronomical prices; they are their own customers and thus not very much inclined to fuck themselves.

They are reportedly very proactive when it comes to CPE security, as well, up to giving customers a proactive phone call when they see somebody is using equipment with known vulnerabilities (customers are allowed to operate their own equipment as long as it is deemed compatible, most will use remotely managed equipment, tho, I believe; my dad used to use his own DSL router and once got such a call if I remember correctly. He switched over to their fiber now and managed equipment).

Their AS is indeed identified as an "ISP" in peeringDB.

While I would be extremely surprised if the company was doing shady things, you surely got a point that a small ISP like that could suffer more in reputation from some few customers being up to shady things, including sub-lending the line. I am pretty sure that is against the ToS, but enforcement is a problem of course. Especially detecting such traffic without violating German privacy laws is probably a difficult task, but it's not impossible.