Expand documentation to recommend PKCE for confidential clients

[Imberflur]

https://docs.rs/oauth2/5.0.0-rc.1/oauth2/index.html#getting-started-authorization-code-grant-w-pkce currently notes:

PKCE is recommended whenever the OAuth2 client has no client secret or has a client secret that cannot remain confidential (e.g., native, mobile, or client-side web applications).

While researching what flow to use I found this comment which links some useful information on why PKCE is recommended even for confidential clients. This is pretty interesting and I feel like it would have been useful to find this when reading the crate docs.