ReCaptcha is about the only google product that I still have to use... some 15% of websites I use eventually make me reCaptcha.
Everything else is blocked with pihole/uMatrix/pf. Been this way for about six months now. Occasionally I still youtube-dl from a server and scp the file locally.
You don't have to use ReCaptcha. You just elect to do your business in another way or with another company. For example, I was a lifelong member of a regional bicycling club until they started trying to force me to solve ReCaptchas whenever I'd need to log in to their web site, and they stopped accepting membership dues and event registration fees by a check in the mail. That was easy enough: I stopped giving them money, and I started self-supporting on any ride events they held out on public roads. My kid's pediatrician threw a ReCaptcha in my face after I entered all the information to make an online payment. I closed the tab and sent them a check.
At first I got passive-aggressive about it. I would purposely fail the ReCaptcha and then contact support to tell them it wasn't working. They'd always provide a workaround. But then I realized it was easier just to stop giving them my business. For me personally, so far it really hasn't been any kind of big inconvenience.
Personally every time someone asks me to pay them with money I roll my eyes and slap down some silver coins. I got in a big fight with the bus driver the other day because fluctuations in the price of silver made the same amount of silver no longer cover the fare
It's privacy focused (supports privacy pass), and is fair: webmasters get a cut for each captcha that is solved correctly (they can choose to directly donate it to a charity of their choice), hCaptcha get a cut for running the service and a customer will get their images/data labeled.
In a lot of projects lately where I've seen ReCaptcha used or requested I've replaced it with YAGNI [You Aren't Going to Need It]. It's a "what's your threat model?" question for Bots.
Do you have the scale that human moderators are infeasible? (Not do you "wish to have". YAGNI suggests add it when you have that scale, not before.)
Do you need that form to be publicly accessible?
Are you requiring multi-factor authentication already? Can you or should you?
Can you use a spam filter? (Are you sure your process isn't already going through half a dozen email spam filters anyway?)
Do the simple tricks not work for your use case? (CSRF tokens, "honeypot fields", form name/ID obfuscation, dumb simple weird rotating required fields like "2 + 2 =?")
I recently had to add a 10 second period where the contact form send button is disabled but appears to still work.
There was daily contact form spam coming from tor exit nodes. Only flaw is that it always sends the message within 7 seconds. That is faster than a human could get to the form and type a meaningful message.
So I was able to avoid blocking tor exit nodes by adding this timeout. This has solved the issue, for now.
Requiring JS execution by only accepting JSON stopped the lazier bots.
Everything else is blocked with pihole/uMatrix/pf. Been this way for about six months now. Occasionally I still youtube-dl from a server and scp the file locally.