in the closing post, your support staff's statement ("But the captcha is still needed to avoid any sort of bot somehow accessing the form.") suggests that every single CRED form needs to use captcha whether the form's display is controlled by Access or even if the user's logged in status is checked.
Is this really so? Surely if a user's role is being checked, then a form would only be visible to a user with that role and for a user to have a role, they must be logged in and the whole point of having users log in is to be able to hide certain content from public view and therefore bots (who don't log in).