They don't detect if you're a bot or not; it just makes it more expensive, the idea being that doing $action 10,000 (or more) times becomes much more costly for the attacker, preferably to the point where doing $action (posting spam, creating accounts, etc.) is no longer profitable. It's probably more useful to see it as a ratelimiter than a bot detection mechanism.
Until, of course, the attackers reprogram their FPGAs and can solve challenges 10,000 times faster than a legitimate user. And since you can't request a user to have their phone toast itself at 100% load for 10 seconds, the attackers can solve it in micro/milliseconds for a sip of power.
Actually, this just uses SHA-256 hashing, which already has specialized CPU instructions (that browser WASM can't use) and ASICs.
They don't detect if you're a human exactly. What they do is they create a calculation expense that is negligible if there's one of you but adds up quickly if you're running a bot farm that needs to send out 10,000 requests a second.
So I click the button, my browser does a quick proof-of-work, no big deal.
But an automated script will have to complete that proof-of-work every time it encounters it, skyrocketing the cpu costs for the server.