Its very difficult to block an extremely motivated and targeted attack. With things like this, you aren't trying to necessarily block a highly targeted attack. You mostly need to just ward off the majority of low effort bot spam and random internet trolls. Having extremely tight security can be expensive and/or difficult for most organizations.
This is exactly why something like reCAPTCHA exists and is used prevalently.
To me, it sounds like your system is just security by obscurity. It wouldn't scale, if it did become used prevalently then it would be very easy for bots to circumvent.
I normally agree with concerns about security through obscurity, but I disagree here: this isn’t a security feature. It is spam protection. Everything that creates more work for any attacker here helps reducing spam, on top of that Google itself uses code obsfucation (”Security through obscurity”) in their Captcha for precisely that reason.
It won’t scale, because it mustn’t scale. It is a dead simple solution to a complicated problem and works as long as it works, without selling your user data and brainpower toone of the biggest tech companies there is.
If it should happen that the spam bots overcome it or your site becomes big enough to be targeted you just change it for something stricter, stronger or more sophisticated.
