reCAPTCHA v3 just gives you a score, and you have to decide what to do with it. This means that you should never under any circumstances use reCAPTCHA v3 as a gate with no alternative—otherwise you will certainly be preventing real users from using the system with no recourse, which will regularly have at least theoretically dire legal consequences.
Also, I get the impression that reCAPTCHA v3 is waaaaay less smart than people think. At a small scale, it’s near trivial to tweak your browser so it’ll give scores at opposite ends of the spectrum.
You’re confusing multiple badly named products by Google. You’re thinking of Invisible reCAPTCHA rather than reCAPTCHA v3.
reCAPTCHA v2 is the “I’m not a robot” checkbox widget followed by challenges if Google doesn’t like you.
Invisible reCAPTCHA is reCAPTCHA v2 but the site initiates verification instead of the user being given an “I’m not a robot” checkbox widget to click; but if Google doesn’t like you, it’ll still trap you in the purgatory¹ of puzzle solving. Site operators can then blame Google, for all the good that does. “Invisible reCAPTCHA” is a bad name for the product, because it’s not invisible.
reCAPTCHA v3 never presents a challenge for you to solve, but decides a score (in practice, I’ve only seen 0.1, 0.3, 0.7 and 0.9) where higher means Google’s feeling more friendly towards you, and it’s up to the site operator to decide what to do with that score—whether to simply deny access to people that Google doesn’t like (catastrophically bad and widely illegal, as it blocks legitimate users with no recourse) or to do something else. But now the liability for blocking real people is clearly with the site operator and not Google. But of course far too many people will ignore Google’s “don’t gate on this alone” direction and just see the higher version number and assume it must be better than reCAPTCHA v2. “reCAPTCHA v3” is a bad name for the product because it’s not a CAPTCHA, as there’s no challenge; it’s straight fraud detection.
They shouldn’t have called it a “challenge” there. It’s not a challenge; it’s just executing the verification function. Chalk up another one for harmfully incorrect terminology. (Admittedly “verification” is also an overloaded term, as it gives you a token which your backend subsequently needs to verify.)
(As they confirm near the start of the document, “reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion.”)
It doesn't appear automatically, it's programmable [1], you as a developer decide what to do with a low score, you could ask for extra verification for example. I agree with the tracking and privacy issues with ReCAPTCHA.
Not to rely on it, but I've implemented ReCAPTCHA v3 on a couple of websites and got under the impression spambots are detecting and skipping websites who have implemented it altogether.
Also, I get the impression that reCAPTCHA v3 is waaaaay less smart than people think. At a small scale, it’s near trivial to tweak your browser so it’ll give scores at opposite ends of the spectrum.