The recent OAuth draft for browser based apps (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps) focuses on the threat of malicious JavaScript. There is always the risk of XSS or injected code and the draft seemingly argues towards not having Access Tokens (AT) in the JS client, but rather have the BFF take care of the AT and bind the JS client with a session cookie. As far as I can see that, the discussed JS attack threats also apply to FedCM. At its current state, FedCM only works with a JS client. There cannot be a BFF or any other backend in between client app and IdP to avoid having the Tokens in the JS part. Are there any plans to have a flow which allows the client to initiate FedCM, but essentially the Tokens are transfered from IdP to a backend-system of the RP?