PKCE is an optional component of OAuth that adds security to mitigate the risk of a malicious actor intercepting an authorization code.
See the spec: https://tools.ietf.org/html/rfc7636
Confidential clients MUST NOT be required to use PKCE (this would be a breaking API change). At this time, all clients in Synapse are confidential.
Private clients, when created, should be required to use PKCE.