Nice read. CORS is definitely helpful for SPA apps to get a service with a backend to use authorization code flow with the IDP.

PKCE is another way to replace the implicit flow for SPA apps.
A good article here: https://developer.okta.com/blog/2018/12/13/oauth-2-for-native-and-mobile-apps