At the very least, they're wasting bandwidth to a (likely) low quality connection.

But anyone making malicious POST requests, like spamming chatGPT comments, first makes GET requests to load the submission and find comments to reply to. If they think you're a low quality user, I don't see why they'd bother just locking down POSTs.

SQL injection?

Get parameters can be abused like any parameter. This could be sql, could be directory traversal attempts, brute force username attempts, you name it.

If your site is vulnerable to SQL injection, you need to fix that, not pretend Cloudflare will save you.

Obviously. But I was responding to "what is sinister about a GET request". To put it a slightly different way, it does not matter so much whether the request is a read or a write. For example DNS amplfication attacks work by asking a DNS server (read) for a much larger record than the request packet requires, and faking the request IP to match the victim. That's not even a connection the victim initiated, but that packet still travels along the network path. In fact, if it crashes a switch or something along the way, that's just as good from the point of view of the attacker, maybe even better as it will have more impact.

I am absolutely not a fan of all these "are you human?" checks at all, doubly so when ad-blockers trigger them. I think there are very legitimate reasons for wanting to access certain sites without being tracked - anything related to health is an example.

Maybe I should have made a more substantive comment, but I don't believe this is as simple a problem as reducing it to request types.