Currently if you register an OAuth 2.0 Confidential client (i.e., one that has client credentials) then by default it has a set of allowed response types that includes the various implicit flows: "token", "id_token" and the various hybrid flows like "code id_token".
These flows do not require client authentication to obtain an access token and/or id token, despite the fact that the client is capable of it. This is probably not a configuration that anyone actually wants.
The spec is silent on whether this should be allowed or not, and there may be some valid reason for wanting this. However, this should probably be an opt-in rather than opt-out situation, as if you leave the settings as their defaults you end up with a questionable security setting.
I suggest we change the default response types to just "code" and require clients to explicitly add the other flows if they want them.