Why even have a redirect? Wouldn’t just a normal TLS/HTTPS request/response protect the requests and token?
The one argument I have heard against TLS is that there could be an app that acts as a proxy and presents it’s one cert on the phone. But if that is the case how would this be different from a normal desktop app?
To me it seems like PKCE is protecting against a compromised device. I would assume if native requires PKCE then desktop apps (non-browser) would also require PKCE.