> Operators of the bot net would probably hard code one value as the difficulty

Bad assumption.

Assumptions like these never last. People who say “I don’t have any money” are still valuable to hackers as phishing senders, legitimate social media accounts, residential + non-cloud + regionally convenient IP space, etc. If consuming connection / server resources becomes valuable then botnet controllers will find a way to pay the cost. It’s easy because someone else is paying for the hardware, bandwidth, and power costs.

But the effect of a market of PoW is the same — there is game theory involved in bidding (just like a silent auction). Even if a botnet uses a dynamic priority bid system, the cost increases as the botnet tries to starve the server of resources. The server’s resources are always zero-sum and the bidding will get progressively more expensive until the opportunity cost of the botnet changes behavior.

Would it really be lower on the bot net in the majority of cases? I'd imagine that real users probably wouldn't want to have their entire cpu spent on this.

real users have more CPU than a literal toaster (or smart air fryer, or IP camera, or many other common botnet devices)

Not only that, real users actually want to use the service, not overload it. A real user might only make one request a second. A botnet device is trying to make a thousand requests per second to overload the server. Even if they each have the same CPU as a normal user, now each node in the botnet can only make as many requests per second as a user or the user can outbid them.

^ this guy gets it