The issue goes even deeper: if subform is set to no then sendy considers the user as added via api. This should mean that it would verify_api_key before allowing such a submission, but sendy doesn't verify the API key for subscribe calls (doh!). Old forum posts suggest that double-opt-in is a solution, however not only can you bypass the captcha and form with subform=no, you can also bypass double-opt-in via the subscribe API by sending silent=true in your POST.

Here's the diff for subscribe.php to require captcha for all list adds: https://pastebin.com/tSLkvYME

if you need API support, you could use captcha_passed = verify_api_key($api_key) and include the api_key in the post request