Nice introduction. One thing I missed though, is the introduction of the client secret in attack #6, which actually solves the problem if Piped Piper is exchanging the code for a token from its own server. PKCE is only strictly necessary if you cannot ensure that the client secret is not extracted, which could be the case if it's stored in a native app on for instance a smartphone.