Authorization Code Grant: is it safe to send the tokens to the client?

Question

Let\'s say I have a SPA with a back-end on the same domain. If I had to connect to an external OAuth provider (let\'s say Google), the Authorization Code Flow (without PKCE) is