For email, I've had some luck just modifying the page with JS that's either indirect or obfuscated enough that the address can't be pulled directly from it - e.g. "var email" is the address encrypted with a fixed key, the JS decrypts it and then alters the HTML.

It can obviously be bypassed by using a JS runner, but it seems to be enough of a hurdle that few spammers bother. "You don't have to outrun the bear", as it were.

Nice. It's a pretty low-traffic site, so something that doesn't require an external service but is still capable enough to defeat 90% of spammers sounds like a good compromise. I imagine drawing the email address to a canvas instead of a textual HTML element could be more effective, alas not accessible.

I have my email in plain text on every page of my site. I get about 1 spam per day that I see in my inbox on Gmail. I suppose Gmail filters even more silently. It's been working fine for over a decade. Is there some scale of site popularity where it becomes a problem?

> do good, privacy-preserving, cookie-less alternatives to reCAPTCHA exist

I implement a custom proof-of-work algo in JS.

Not very eco-friendly, but then again captchas are not disabled-people-friendly, so pick your poison I guess.