Regarding the bots: since you're building a privacy-first product, you should look into a Proof-of-Work captcha (like Hashcash or mCaptcha). Just have the user's browser mine hashes for a couple of seconds before issuing the trial token. A normal human won't even notice it, but it'll burn so many CPU cycles for bot farms that abusing your API becomes economically unviable
As someone interested in cryptography, I'd also recommend a VDF. A Wesolowski VDF isn't that hard to hand-roll [0] [1] and will make parallel attacks much harder while penalizing low-power devices less.
