For implicit OAuth, you don't use a Client Secret in the browser javascript. You only need the Client ID. The Client ID is not a secret and is considered public information. The Client ID and Scopes identify what permissions to services you wish to authorize.
How secure it is to use OAuth2 for web based applications??
OAuth itself is very secure. However, as with any security implementation, it is only as strong as the weakest component. For implicit grant flow, such as your single page web application, the authentication occurs between the user and the Identity provider. Once the flow completes your app has an Access Token and optionally a Client ID Token. The assumption with implicit grant flow is that the user is present at the browser and that no confidential information will be stored.
How the user information can be protected, if the client (browser) is
compromised?
If the user's browser is compromised, nothing can be protected. Once an OAuth token has been generated that has permissions to do X, the compromised browser can continue to do X until the token expires.
If your question is about protecting the user's login and password, or other type of authentication information then this information is also at risk if the browser is compromised.
In summary a compromised browser potentially has no security no matter what technology is used for authentication and authorization.
