Your understanding of the difference between Implicit and Authorization Code (AC) is spot on. Note that Implicit is not that insecure, but the AC flow is just cleaner.
The client secret is used to authenticate a confidential client (i.e., a client living in a secure environment). That is mainly used to authenticate a backend service acting as a client on behalf of the user.
Since a frontend application (browser, mobile, …) does not run in a secure environment, it cannot handle a secret. Anyone able to read the source code would be able to extract that secret. That’s why you cannot use the secret in SPAs.
For mobile applications, not using the secret makes the authorization code vulnerable. It would mean that a malicious app that intercepts the code could exchange it for tokens, which is a problem. That is why they added PKCE for mobile applications, which uses a one-time secret for the flow. Because of PKCE, only the app starting the flow will be able to obtain the tokens, thus preventing abuse of the authorizatio ncode.
Given the widespread support for PKCE, it has become a best practice in every instance of the AC flow. It does not cost much, and it improves security. Note that the AC flow with PKCE is recommended for SPAs (and supported by the Auth0 SDK), but that authorization code theft in SPAs is less of an issue than in mobile apps.
Hope this helps.
Philippe