There is no less sensitive permission that would let you implement an extension like this. "Access your data" means "run JavaScript in page context" and you need to do this in order to get the browser to send the CAPTCHA token to the server. The only technical restrictions you can apply to this are domain-based, but you can stick CloudFlare on any domain.

Plenty of other useful extensions need this permission too.

I'm not sure how addons can bypass V2 reCAPTCHAs as they operate from iframes and JavaScript can't acces cross-domain content to, ie, click buttons, access urls, or interact with forms. Nonetheless it seems to work, so maybe addon JavaScript is more privileged than developer-console JavaScript.

I've seen some v3 reCAPTCHA solvers, such as pyPasser, but I don't understand how they work. They seem to use a hard-coded constant to perform a replay attack to get a token which is guaranteed to succeed ie generate a high score. But... that can't be possible, can it?