Any website can get DDoS-ed regardless of where it’s hosted.
I could go into detail here, but I wrote a few long posts about them already last week where I outline the point:
TL;DR: If your website gets attacked, we’re taking that out of your server power allocation. Undesired traffic is still traffic and traffic uses server power, which is a limited commodity. We’re not going to allocate you with additional server capacity to handle the attack on your website, and hurting everyone else’s site in the progress, or pay for that server power for a handful of sites getting attacked.