Currently Twitch provides authorization code and implicit code flows, but neither of them is secure outside of a browser (and the implicit code flow is also inconvenient as it requires opening a browser to renew a token).
The recommended way for native apps is PKCE which basically makes it possible to use a client-generated “code verifier” instead of a client secret.
P.S. I found this article that I think is good at explaining what’s wrong with using either flow without PKCE
The page on oauth.net on implicit flow also states that PKCE should be used instead (and implicit grant type is discouraged even for browser-based apps) and provides links to a few other articles on the topic.
OAuth 2.0 Implicit Grant Type