I assume you’re talking about tokens visible on screen. Because for anything else, like for the client having both the refresh and access token, the refresh token would be leaked as well.
It seems strange to me that leaking data on screen would be the entire reasoning behind putting these restrictions on everything. Or the very least not opening the restrictions to certain use cases, e.g. through a different auth flow.