I don't think there is any PoW that results in acceptable performance for the user (especially on mobile) while also making the cost for an attacker high enough to deter them.
Even renting the compute on AWS, it only costs $0.01 per minute for the equivalent of a decent desktop computer (c8g.4xlarge). While an attacker will likely either use a botnet, or hardware better suited for solving the PoW than the hardware the user is using.
Though CAPTCHAs don't really work well anymore either, since solving services are quite cheap. Recaptcha is nowadays primarily based on other factors, like IP reputation, susceptibility to google tracking, and behavioral scoring.
Most people engage with web content on relatively low powered machines. If you tune them to be tolerable on a 4 year old mid-range android device, there isn't much cost incurred on a threadripper.
I'd never heard of them before getting them while using Brave search sometimes, I'm not sure I entirely understand how they work and differentiate between a bot and human.
They don't differentiate. They just make it too expensive to be worth paying for the resources required to carry out a spam attack at any meaningful scale.
