recaptcha v3 validaiton and score issue

Question

I'm using google reCaptcha v3 on my site, I intercepted the requests used to get the captcha value which is sent to my backend server at last stage, the network requests are as follows

1. GET www.google.com/recaptcha/api2/anchor?ar=1&k=MY_SITE_KEY&co=SOME_CODE_HERE&hl=en&v=SOME_CODE_HERE&size=invisible&cb=fdjhflkdjldfj , this request is sent and the response contains recaptcha-token
2. the Recaptcha token received from the previous response is used to formulate a POST request to www.google.com/recaptcha/api2/reload?k=MY_SITE_KEY and the request will have Content-Type: application/x-protobuffer , the POST Request will have much information on the body and it is not readable. the response of this request will have the actual captcha token that will be sent to the backend server and then validate by google.

POST /recaptcha/api2/reload?k=MY_SITE_KEY HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-protobuffer
Content-Length: 6514
Origin: https://www.google.com
DNT: 1
Connection: close



5jg5fr8dsdfsffffdfddsf5dsf6s03AGdBq25bIYfsddfdsffsdtMhUdgdgdsfswdfsfdfsdfsdfIoxLpxkNf9gh2zpQQfWqy8fDPh2juM8i5o3XwUVu1bj514acUgCT9WrtG2jwMMffZ9O1c-zS2vSEMwK9yb2GGFVl3hd_FO8fmtHkDcJBohWfxtFqwQzv8pkRlfVMpROiIQqMhB7NxJaFSfAwfzrg66fsjff2NrKFOZQ4qfniYNvjxyJw2sesUntfEY_ktufH5Q9o7ndzf3Ws8NOGasTxLMM-dsfdsgCPqoJ6Nz6rwep3sdfsdfdsfds5wEi_5Co_POdBaejwRfBYATssqCulwlsyvwpNhH8U1vwxm6Lz6xEz6Xen8IcJfAoswNZHx-NvTL2Qzfsdfsdftw

in the previous two requests I did the following:

• use the same first request to get the recaptcha-token
• changing the second request with a new request to the same path but with Content-Type: application/x-www-form-urlencoded and body with the needed parameters (found this sample request by intercepting requests from the following example https://www.google.com/recaptcha/api2/demo and I got a request to path /recaptcha/api2/userverify as it has some similar parameters with the original request.)

New Request :
POST /recaptcha/api2/reload?k=MY_SITE_KEY HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: https://www.google.com
DNT: 1
Connection: close
Content-Length: 2648

v=fdgdfgfdgfdgdfgdfgdfg&reason=q&**c**=03AGdBq24NKRvgQ9EwzfnPId4hR4cILxjFOneX4Sy8351xWji_VQIn_DPkgFnS7LBlAb5hRF3JID6lJnfXonVqcyVn0sssssioCClJAP1s51sxsssv4cKdfgfdgfdggfdgfdgUPZgFwrZP0mSx66uZ5gJgUZ0nqpj96gfdgdfgdfsBBWgdfgfdzoX27dGKFrssmu-IfqFqTyjdfgdfgdf2yCqpENBadrRAUtVSiBYkgdfgdfgdfgrgaX5LOjGoVf-maMV7hqMlpOVGb-BMaYhsssRyOsssEAlssyDOuftfddgdfgdfgdfv6Zr-gaeeOspg9_-VhPOZSgQMT_k2ss0M5gfdggdfgdfgdfgdfgdfgdfgjag1xU_-DiV4pL0ohjxbsssTkBmBrmApOIUWqkAshWxck8XWCzkTP6sssAP5YJygdfgdfgdfuUp5Ru9-sScQs80j2lj&co=gdfgfdgsssfdgwdwdadsadsadasdasdasd&hl=en&size=invisible&chr=%5B89%2C6sss4%2C27%5D&vh=135sss99012192&**bg**=!b2mgaWwKAAQeDjZybQsssEHDwIbeVoCNhLRRCE9qZxCQZx-6SGETEsssseRXgKCPBGhNh3Nj-u-V49g_B1QeEHd-mv4ssGqhGVqsZtSb-tmMlssssssadsdasdsadx-m_nrKwd07N1PV0dadasdassdas_EJCHbNvvCeNC6YJP_kcroXlFGdMqj7huMhj34VpVktyiUW0IuUezBFwEYzvbjLNKSrjE494Gwdasdsadp_C50VZn1hjiasdasdsaQk6SUNgMFQAi8V9rHQQJjEf8dSCQItFCPCfHu89ssRt0RFmXBconTjwPSy4qfGckOHjaGr9o31V34citVaeoXQat1_AdasdasW-O2Pa2Ksadsadsadsalwvdasdas2Ys20KHFBYiZ9Ryh0V9H5PAx4qcATrU_o6hMdsadsa_PfysLJHhPOecAG1k7XTCdsadasLgYwzTFrhv6nm7Oa3dXm9KzhiSMVwA6YMm6xY3WWrJO6wLzGg7HoEMzoZM1zhZW9FaaF9r6tHG3iC5bFRrcmtby1N2HC-8ArrtSG1A7nuPbRVVk6uRRg9tM5N-YGGfGEVJ9c1Gqk7i5G

My Questions :

1. after doing the previous changes I was able to send both new requests to google and was able to get a valid captcha token which I added to my request and being correctly validated at the backend, so how changing the second request content-type and the body to new totally different values did not affect the functionality and was able to retrieve correct captcha token and send it to the backend and getting validated?

2. I used this site https://www.google.com/recaptcha/api2/demo and intercepted the requests, I got the value of POST Body Parameter named bg from request with bath /recaptcha/api2/userverify and replace it with my new edit POST Request (Mentioned above) with path (/recaptcha/api2/reload) and start using it in requests to generate captcha token and the requests works and a valid captcha was retrieved and checked in the backend, how this could happen and works well ? getting value from another request from other site captcha flow and use it inside my requests which related to captcha of my site?

3. I used the previously mentioned requests (requests mentioned in points 1 and 2 above ) in some tool to make automated requests against my site, the tool will first go GET www.google.com/recaptcha/api2/anchor to get the recaptcha-token and make another POST request to www.google.com/recaptcha/api2/reload?k=MY_SITE_KEY (with Content-Type: application/x-www-form-urlencoded rathe than Content-Type: application/x-protobuffer) to get the real captcha token that should be sent to the backend, once I receive the captcha token I validate it using this site https://www.google.com/recaptcha/api/siteverify? and it gives a score of 0.9 !! how does an automated script can generate a captcha token with a score of 0.9 ? is not this a bypass and a flow for the captcha?

4. using the same automated tool mentioned above, sometimes the generated captcha tokens got a score of 0.9 and other times got 0.3, why there is such variation, even it is an automated tool?

5. what is the best alternative of recaptcha v3 and being more reliable and secure?

Thanks .