To some extent. Security features in free plan are somewhat limited in terms of capabilities.
Bad IPs will be handled by Security Level feature - you may set the level to High for higher protection.
You may also enable Bot Fight Mode, but it’s not a very powerful feature and other complicated bots will still pass through.
It depends. It’s ok to JS challenge everyone if your users will not get annoyed with the few seconds of challenge page, however you will be blocking good bots like GoogleBot or Bing Bot from accessing your website too. You may consider allowing “Known Bots” in the firewall so that at least good bots can go through.
Anyway, having a firewall rule to JS challenge everyone is doing almost the same stuff as setting Security Level to “I’m Under Attack!”.