I understand that, but what I'm saying is that due to the wide gulf between the compute budget of the slowest device one is meant to support and a couple commodity VPSs adversaries need anyway to conduct a DDoS or to spam, there is ostensibly no extra cost.
In fact, all you are doing is slowing down legitimate clients with old equipment and doing nothing against adversaries.
I've seen a PoW CAPTCHA https://github.com/mCaptcha/mCaptcha and at the time it did not make any sense to me. I would still get spam, just a tiny bit slower, and spammers would have to expend more resources for just my site, which would barely register on their bill.
I bet that requiring JS stops more spam than the PoW itself. Can anyone who tried it chime in?
Oh, I see, it's effective against 'someone [who] wants to hammer your site'. That is usually never the case with my sites. I do get a steady stream of spam, but it is quite gentle as to not trigger any WAFs. The load comes from LLMs scraping this everliving shit of my sites and fortunately they don't seem to bother with filling in forms...
In fact, all you are doing is slowing down legitimate clients with old equipment and doing nothing against adversaries.