Assuming that you understand the risks of doing email/password login directly from the application, you don’t need a client secret to do the resource owner password grant exchange from a native app.
If you selected the right app type when creating it, the Token Endpoint Authentication Type should be set to None, meaning that the client_secret will not be required when making requests to /oauth/token. You can change the app type and token endpoint authentication type now if you have a different selection now.
This would be conceptually equivalent to creating your own server token endpoint (which would also work without authentication from the app, since like you said native apps can’t keep secrets), without the added complexity (and benefitting from Anomaly Detection).
Do keep in mind that opening the Resource Owner grant to the public means that a rogue application could pretend to be yours, trick the user into typing the credentials, and would be able to obtain a token.