I could go on about the problems with hCaptcha, and why it’s generally worse than reCaptcha, but I’m not. I’ll get straight to the point with this:
I don’t like hCaptcha, nor do I want it anywhere on my website. Bot protection forcibly uses hCaptcha now, and I’d rather have it off than deal with hCaptcha. But this opens the door to bot attacks. It should 100% be up to the user of which captcha they use on their site, especially if it involves hCaptcha. If I have to add my own site key and private key, that will be fine by me, as long as my site never, ever uses hCaptcha.