Even for 100% FE solutions, the current best practice from OAuth authors [1][2] is to use authorization code + PKCE (optionally, +dPoP). The implicit flow is deprecated (since PKCE), and from OAuth 2.1 it will be removed entirely.

[1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-secur...

[2] https://auth0.com/docs/get-started/authentication-and-author...