It’s true that authorization code with PKCE requires using the browser, but it brings a number of benefits beyond security (which should be your primary concern):
- It’s simple to implement.
- You don’t need to build your user interface from scratch.
- Easier to maintain. If you wish to later introduce features such as multi-factor authentication, you don’t need to modify your application.
- You can still customise the universal login to make it feel like you’re still in the application.
- Better support for SSO.
I should also point out that the password grant was never intended as a primary means of authorizing clients. It was created as a bridge for legacy clients that use older authentication schemes such as HTTP Basic or Digest.