I had some cool anti bot stuff years ago in a system that I was using at the time. I had a non visible form field that was populated with the word 'YES" when someone clicked a button to agree to terms during login. Validation just checked for not empty field. The form allowed the user to override the field manually. That test detected so many automated account creation scripts, it was just insane. Just filter for something other than YES and you've got a simple way to detect bots. The key was not to do a "fast fail" to let them know they were found - but just shadow ban the account and set an auto-delete in x days. BUT, This worked because it was my own system, that was unknown more broadly.

If UNA created a system, it would be a matter of time particuarly with open source code for the bot authors to determine how to delete the system and just put the word YES in that box. I agree that the best approach is third party turnstyle type systems that are able to change and react their detections as needed, without updating the site app is the beset approach. But either way, an interesting discussion.