I have a suggestion to Cloudflare to implement a combination of both Google reCaptcha V2 and the new invisible reCaptcha V3 as an option for the firewall rules and under attacks modes as follows:
It implements the invisible reCaptcha V3 by injecting its JS code in the response request headers and do the validation on Cloudflare server, if the reCaptcha response score is suspicious or at level set by the site admin in the Cloudflare panel, then the Cloudflare forward the user to a reCaptcha V2 on next requests or visits to the site by setting a cookie on his browser.
So in short:
Validate user invisible with reCaptcha V3
If validation is suspicious set a cookie to mark that user for next request to challenge with V2 or ban him.