If you use a VPN you get CloudFlare captchas all the time

ddos as a service providers (aka booters/stressers) proxy L7 request floods via VPN providers. At some point the VPN providers might actually care to kill off those accounts / better tighten up their free tiers, but they don't care at the moment.

I browse exclusively with a VPN and this doesn't happen to me much.

The key here is "not yet". But try to use a public VPN/proxy IP to get a peek incoming future.

I do. And that second part is false. Most users of cloudflare don't configure it and just run with the defaults. That means any browser that doesn't implement the latest bleeding edge features gets blocked. And it especially means, say, if you're science.org and you've applied cloudflare to your entire domain, that URL endpoints that are supposed to be hit by clients like RSS readers end up covered under the entire domain anti-bot block, and now the RSS URLs are incessibible to native feed readers and only paid feedly accounts are whitelisted and can accesss science.org/aaas hosted blog feeds. True story.