Forget About OAuth 2.0. Here Comes OAuth 2.1 - Philippe De Ryck - NDC Oslo 2022
OAuth 2.0, OAuth 2.1
refresh token make sense when the client secret can be kept secret.
therefore, in public clients, because the secret is not very secret, the refresh token is a simple bearer token.
therefore, the authorization code grant does not make sense and the
implicit grant was suggested otherwise, not less secure.
It is still very insecure though.
Now, in public client one should perform authorization code grant with PKCE and
refresh token rotation.
Notes linking here