cool article to go through (I happen to be working on some hcaptcha integration, so it's right in my field of view), but with all the logic spelled out - surely clever automated attacks will be crafted to pass all these checks, by altering the perceived browser environment to produce the "shape" that's expected?