And it adds much more user friction, essentially requires having a logged in Google account, and may not be as accurate. Nevermind that it is outsourcing that protection to Google, who will definitely use your personal data to sell targeted ads. I don't think Stripe's fraud detection behavior is unreasonable here, and if you're willing to accept fraud liability, you're given the option to disable it (and run your own recaptcha, if you like).
> In contrast, Stripe collects also data from webpages that are not payment pages.
Like recaptcha, whether the Stripe code is included on a given page is solely up to the author of that page.
While I may tend to agree with OP's requests for increased transparency, that desire does not lend its support to other claims about how Stripe's code works. Putting it on every page is not required. Unless I am mistaken, putting it on every page is not even suggested by Stripe. Why anyone would put Stripe or any other third-party code on every page indiscriminately, without considering whether it was necessary, is beyond me.
> Include the Stripe.js script on each page of your site—it should always be loaded directly from https://js.stripe.com, rather than included in a bundle or hosted yourself.
> To best leverage Stripe’s advanced fraud functionality, include this script on every page, not just the checkout page. This allows Stripe to detect suspicious behavior that may be indicative of fraud as customers browse your website.
You realize for recaptcha to work best you are supposed to use it on all forms and actions and background of pages?
"reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics."
When you say reCaptcha doesn't capture user data are you lying? Have you actually implemented any of this and tried to fight fraud. I ask because you and the original author are making a lot of big claims and ill intent assumptions that literally ANYONE dealing with large scale fraud attempts would see through immediately.
Seriously, everyone else is sticking all sorts of beacons on websites for this - that's currently how it is being done.