My pet peeve is the standard OpenID connect implementation of OAuth for SPAs - which will probably use the PKCE code flow. It is probably for historic reasons and old browser compat, but exposing access token and revocation token to javascript is IMHO just madness. In modern security flows you would save those tokens into cookies that are HttpOnly and SameSite=strict and prevent a myriad of JS based attack vectors.