I alluded to the usage of being hijacked for the same reason. From what I have seen, the nuance around oAuth1 vas auth2 vs auth2.1 vs OIDC is just something that most people use without understanding the details just in order to achieve the end goal. On the top you can add PCKE, client credential, password credential and now we are talking about something thats not comprehensible anymore. I am not a purist by any means but it still pains when people do thing whiteout understanding them.