OAuth best practice is to enforce that clients use PKCE. Draft OAuth 2.1 insists authorization servers enforce the use of PKCE by public clients, and recommends enforcing it for all clients https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#name-countermeasures-2

using code_challenge and code_verifier is REQUIRED for clients, and authorization servers MUST enforce their use, unless ... The client is a confidential client. ... In this case, using and enforcing code_challenge and code_verifier is still RECOMMENDED.

Thus it would be useful to have an 'enforce client use of PKCE' option with choices: none, public, all.