At official documentation Which OAuth 2.0 Flow Should I Use? in part Is the Client a Single-Page App there is:
If the Client is a Single-Page App (SPA), an application running in a browser using a scripting language like JavaScript, there are two grant options: the Authorization Code Flow with Proof Key for Code Exchange (PKCE) and the Implicit Flow with Form Post. For most cases, we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side.
I’m not sure that I misunderstood something, but when using SPA with this flow how the token is not exposed on the client side?