This whole thread seems to imply that IPs can be the sole reason for a Cloudflare Captcha challenge being shown. But CF has introduced recently Firewall Rules, which gives website owners a lot of flexibility in defining what to Challenge (Captcha), JS Challenge or Block.
Before Firewall Rules were announced, site admins could already require a captcha to be shown for specific IPs or IP ranges, ASN, User-Agent, and Country.
Also, by using Page Rules, a website could set a lower or higher security level for its different sections.
Now with Firewall Rules, a website can combine multiple elements. For instance, I could set my website to show a captcha for users
- coming from country US and threat score greater than 30; or
- coming from outside US and threat score greater than 10; or
- coming from countries RU or CN and a threat score greater than 0; or
- coming from UA representing old or odd browsers
While arbitrary, any such filters in Firewall Rules set by website admins could be responsible for visitors seeing more captcha pages. While the idea is to bar bots and malicious actors, there will always be some unintended targets. And since we don’t (and won’t) know how the threat score is calculated (see hint below), there’s little one can do to mitigate a situation where an individual IP is being challenged, other than request that the site owner whitelist the IP.
I don’t know if this will help, but from reading some CF tweets I understand that resolving the captcha reduces the threat score of any given IP. (And, I deduce, abandoning a page after being shown a captcha may increase the threat score associated with your IP)