[ethor]

In my case I am concerned about false positives since visitor experience is a higher priority than blocking all bots. Cloudflare, in my experience, do generate too many false positives when it's too aggressive. A very nice idea though in other cases.

[out-of-ideas]

define what visitor experience means to you; lots of folks think captcha is acceptable, or loading in an operating-system-amount-of-code-for-javascript like reddit does, as acceptable. (if we define OS's as bloat-ware like MS has nowadays (or any carrier specific phone LOL); one could say: reddit is a javascript-OS minus a good website for those emacs/vi fans)

You mentioned that allow-paths is not quite an option as the main page gets hit by the bots; how are you detecting this - maybe some automation here is all that is needed? Note that lots of folks are using ad-blockers of varying sorts which some analytics sites claim as 'bots' or 'grey visitors' which make even landing on some home-pages a very sad experience when a full blown captcha shows up ( then I for sure stay away )