It's not doing it on it's own, I believe what they're referring to is a a pre-configured distribution of a shell packaged with some distributions of Git, for some OSes.
It's mainly mitigating exposure. Some possible vulnerabilities would be social engineering(i.e. it'd be easier to send a targeted phishing URL to gain recon on an employee of a company if you know an internal domain), or injection into a public facing service that has access to internal services.
Re:Captcha uses your IP and Google account to try to determine if you're a real human or a bot. If you're signed into a brand new Google account, or logged out of one, it'll be more likely to prompt for Re:Captcha.