Recaptcha score based should be used with caution and ensure that if you get lower scores you can take further steps to ensure that the information being exchanged from your frontend and backend should escalate to further confrontation.

Are you registering new users from a form, and, are you using an account defender approach for it?

Are you providing search forms that are unauthenticated? If so, when a search returns results, do you consider them a LEGITIMATE call? When do you consider those behaviors FRAUDULENT? Maybe it is worth annotating back these behaviors after the fact and avoid blocking users just by receiving low scores.

Make sure to provide actions for authenticated users and limit broader application forms for non-authenticated users, this will help find LEGITIMATE vs FRAUDULENT ones way easier than not.

Use the real IP when sending events in an assessment, use valid fields for further fields in the event object such as user agent, ip address, etc. The more accurate and more complex your events are, the harder it will be for Bots to know all of these before hand.

Also, does those search matches a result? What about subsequent or prior ones? Are they using common fields from previous searches and those previous searches returned a lower score or a higher score? If higher it shouldn't be, as they don't bring any valuable info at all. Only those that brings results should be considered a successful search, hence an indication of a LEGITIMATE operation being higher than FRAUDULENT.

On the other hand, if information being submitted aren't returning valid info, on and on from the same IP and similar terms, just changing one term? Those seems to be Bots trying to enumerate valid searches, but previous ones weren't, so, why should we block them before hand?