I wonder if the same recommendation (use Authorization Code Grant flow plus PKCE instead of Implicit Grant) should be made for SPA (single page applications), too.
Unfortunately, most SPA apps don't have a server side backed and thus cannot benefit from the additional security that the Authorization Code flow provides.