Example: Disable JavaScript in your browser of choice, and you’ll be able to submit the form without seeing the recaptcha at all.

Google’s setup guide explicitly describes two steps to set recaptcha up, 1. client-side (what the implementation linked in this thread does + enabling the submit button if the captcha passes). 2. server-side, validate the captcha serverside.

Unless the recaptcha is validated serverside (“never trust the client”), the only thing preventing a form submit is the disabled submit button. And that doesn’t happen with a spam script.