Server-side apps that can keep a secret safe (e.g., Node.js, Rails).
Client-side or mobile apps where the secret cannot be kept (uses PKCE).