It even says so on the official website ( https://oauth.net/2/grant-types/implicit/ ) - astonishing that they can't get this right. Maybe says something about the product?
Entirely agree and we recommend using Auth Code+PKCE whenever possible. This post is intended to be the first of a few starting with the base spec. In the next one, I plan to go over the RFCs for JWT, Revocation, Inspection, PKCE, the AppAuth pattern, and probably a few others.