Yes, it's unfortunate that a network service provider whose primary business model is checks notes preventing network abuse would try to detect and prevent abuse via various heuristics such as captchas.

I also agree that Cloudflare should get all the blame here, since none of their customers voluntarily chose to use them, and Cloudflare doesn't give their customers a huge variety of options for bot detection sensitivity.

Matt Prince personally kidnaps CTOs and waterboards them until they agree to use Cloudflare, and the thousands of configuration options and rule combinations on the WAF are just for show - customers can't actually use them.

What an evil, evil company.

It's the same people who believe software has no settings.

I assume this is only on sites that are on Cloudflare though. Or, no?

True, but a lot of sites use Cloudflare. It's sometimes very unexpected sites as well, both very large ones and very small ones.