Why doesn’t OIDC hybrid flow require nonce

The OIDC standard requires the nonce parameter in the authentication request when using the implicit flow:

nonce REQUIRED. String value used to associate a Client session with an ID Token, and to mitigate replay attacks.

However in the hybrid flow the nonce is not required. Yet the id_token is directly returned in the response and also susceptible to injection or replay.

Why is the nonce parameter not required in hybrid flow. What secures hybrid flow from injection or replay of id_token?