Add a CIBA notification mode that does not directly deliver the token(s) but rather informs the client that they can go and fetch the token(s).
This normalizes the means of the client obtaining tokens in all cases to it making a request to the token endpoint, which is a well established pattern. And keeping token delivery at the token endpoint simplifies things in situations where tokens are bound to client keys (like with MTLS and Token Binding for example). I can't say that it's really that much more secure. But I can say that it's not introducing a completely new mechanism of token delivery for which the security properties likely aren't as well understood and haven't been evaluated at by as many people.
Some list discussion on the topic: http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20180702/001191.html
Was also discussed on the July 10th 2018 MODRNA WG call: http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20180709/001202.html