According to https://www.thehacker.recipes/web/config/identity-and-access-management/oauth-2.0#authorization-code-injection:
The goal here is to impersonate a victim by injecting a stolen authorization code into the attacker's own session with the client. Confidential clients are targeted by this attack.
Why is it only confidential clients that are targeted by this attack?
Couldn't public clients be targeted by this attack, as well as authorization code interception attacks?
Indeed public clients are also vulnerable to this type of attacks. It seems that the assumption in the article is that it's trivial to do this for public clients and they don't want to state the obvious. It may be more surprising that confidential ("confused deputy") clients are susceptible to this attack, which is probably why the emphasis is on that part.