Google's OAuth2 for Desktop Client Documentation says:
Unlike with web clients, the OAuth 2.0 client secret (if used) is assumed not to be confidential.
This makes sense. However, I can't tell any difference between both flows that reflects this assumption: both flows yield an access token and a refresh token (even though the standard OAuth2 philosophy seems to be that you shouldn't hand out refresh tokens to non-confidential clients, and you should use the implicit grant flow instead).
Then what's the difference security-wise between both flows?
(Update: Maybe the latter always prompts for consent, even when the user already gave their consent?)
