You missed one of our best guarded secrets: ja3 hashes and their successors.
Basically, we can identify browsers based on the supported ciphers in TLS handshake (order matters too AFAIK). Then when your declared identity is not matching the ja3 hash, you're automatically suspicious, if not blocked right away. I think that's the reason for so many Capchas.
I built a nice tool to visualize that: https://tls.peet.ws.
Its not that secret anymore though, more and more libraries are starting to allow spoofing for browser tls configs.
There isnt really a cat/mouse game here - once you match the latest chrome, there is nothing to fingerprint
I do not think I understand that website. I see that JA3 always gets changed after refresh, but not sure what JA3 is. Why is it always different, and is it good or bad?
Modern browsers randomise parts of the handshake, which results in an unstable ja3. ja4 and others normalize the relevant details to make the fingerprint constant again.
It tends to identify your platform/browser version, with relatively low granularity. Unless you have an unusually rare OS/browser config, it won't deanon you on on its own. But it can be combined with other fingerprinting vectors.
I'm not sure about JA3, but JA4 is basically fixed for all recent Chrome versions across many platforms so you definitely would not want to ban that. JA3/4s are basically just good at detecting people using python who are pretenting to be Chrome. And even that's patchable with packages like curl_cffi
Basically, we can identify browsers based on the supported ciphers in TLS handshake (order matters too AFAIK). Then when your declared identity is not matching the ja3 hash, you're automatically suspicious, if not blocked right away. I think that's the reason for so many Capchas.