Adversaries do not have to wait for LLM models to evolve to mimic human process, they can simply evade the detection JavaScript that evaluates similarity. JavaScript is visible, can easily be reverse-engineered.
I don't think I've ever known of a captcha that handles the actual result decision in the front end. It's universally just the javascript required for some fancy puzzle UI, which forwards the state to some other endpoint to determine where you're redirected to (CF turnstile) or what signed token should be included in the form request (reCAPTCHA)
I should have been clearer and specific: state management is done on the backend, but collecting behavioral biometrics and device fingerprint is done using JavaScript, which can be manipulated.
You can do it server side. But even so I would think this sort of heuristic detection is unreliable, annoying to real users, and not difficult to circumvent if the attackers actually tried.