As I stated, use a public client (i.e. w/o a secret). That’s the same recommendation as for native apps (https://tools.ietf.org/html/bcp212). Clearly, the AS must take this into consideration when determining the level of trust it puts into the client‘s identity.

And do not forget to use PKCE in order to detect code injection attempts. Please take a look into https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-3.1 for the full set of security guidelines.