> PKCE was originally designed to protect the authorization code flow in mobile apps, and was later recommended to be used by single-page apps as well. In later years, it was recognized that its ability to prevent authorization code injection makes it useful for every type of OAuth client, even apps running on a web server that use a client secret.
It's secure as long as you are using a private client (one that can safeguard a client secret), but PKCE costs you nothing to it's strictly better to do it.
There's advice eg https://www.oauth.com/oauth2-servers/pkce/ that seems to say you should PKCE it even in server-side auth code flow use cases:
> PKCE was originally designed to protect the authorization code flow in mobile apps, and was later recommended to be used by single-page apps as well. In later years, it was recognized that its ability to prevent authorization code injection makes it useful for every type of OAuth client, even apps running on a web server that use a client secret.