Would it be possible that your hosting provider added the plugin for you?
Sucuri Inc. got acquired by GoDaddy Inc. on April 2017 and through multiple integrations of the systems, the later have pushed (for free) some of Sucuri products to existing clients.
If your website is hosted by GoDaddy, the existence of the Sucuri WordPress plugin in your website can be explained by the fact that one of their support agents considered it appropriate to install it after noticing that your website was infected with malware, the plugin acts as a shield to both clean and protect from future attacks. The other option would be to suspend your website to prevent the spread of the malware through the other shared accounts, and I guess you don’t want that.
Please talk with your hosting provider about this for confirmation.