My thoughts
With the proliferation of OAuth 2 and OpenId Connect RFCS, it has become very difficult to understand the best configuration / implementation for security.
This RFC summarizes all the current best practices.
My key takeaway is using PKCE for all client is recommended.
Read the article: RFC 9700 - Best Current Practice for OAuth 2.0 Security