No one likes spam bot form submissions but they are a reality of putting your business online. There's no golden fix here so regardless of what methods you try be very aware that you won't stop them all.
(This ramble is a post in writing, so expect changes and additions to be made.)
For many hosted platform - Shopify included - a true captcha system would need support on the server side. I would like to think such a feature would be added soon but for now it doesn't.
Should I add a captcha?
My advice - don't bother unless you are really getting slammed by spam. In that case stopping a few percent could actually equal a lot of processing time on your end. If you're only seeing a few per week this is really nothing to lose sleep over. Seriously.
If you think I am crazy for saying that - you could be right. Just weigh up the pros and cons yourself and make a call either way. You must realise that adding a captcha is going to hurt conversion to some degree. What's worth more - the conversion, or the lack of annoyance for you managing the spam. There's no right answer here so go with your gut.
If not a captcha, what?
I do like how mailchimp add some basic low level detection in their forms. They purposeful add a field that is not seen, but can be found easily by a bot. If a bot fills out the field you can be confident that whatever filled it out is a bot, and just purge the data. Whilst not stopping the spam, being able to detect it faster helps alleviate the concerns with trying to wrestle into action. Until then, hope that a more bulletproof, server side solution is added on whatever hosted platform you're using.
For Shopify this can work pretty well but keep in mind the form endpoints will always exist. So form or no form you can still post data and have it process server side.
Do you have some sweet code examples?
soon... feel free to annoy me if this bit is taking too long to be written...