What was the reasoning behind using grant_type=password in the gotrue-js library

[adam-beck]

I noticed that when signing in with the email provider the library uses grant_type=password. Normally, I don't adhere to strict "best practices" because sometimes it makes sense to deviate. However, this is out of my area of expertise and also one that's very important to get right. The IETF explicitly forbids the use of this grant type.

The resource owner password credentials grant MUST NOT be used. This
grant type insecurely exposes the credentials of the resource owner
to the client.

It seems to me, though, that since the GoTrue server would be "owned" by the same party that owns the client, it would be okay. I'm assuming that was the reasoning but wanted to hopefully gain some insight. So, could someone explain why the decision was made to use a grant type that the best practices document for OAuth 2.0 explicitly forbids? Why not something like the authorization_code grant with PKCE?