I have seen some similar questions a few years old and I am not sure if there are any new changing views on this.
I see that this flow is not recommended for mobile native apps. What are the practical downsides security wise of using this flow for this case, assuming the app and auth server are managed by the same organization?