Nothing can stop 100% of bots. The goal with captchas like Turnstile is to use a significant portion of your resources to the point it’s expensive and slow to perform an attack.

Turnstile runs many background checks on your browser, so headless browsers automatically become futile.

JavaScript PoW challenges are performed that take up multiple seconds of execution time, memory and CPU. This alone is a deterrent because sequential attacks become extremely long to execute.

Concurrent attacks are still unfeasible because Turnstile ups the difficulty if it detects something is up, and receiving requests from thousands of botnet IPs is bound to trip an alarm.