Why not use PKCE for backend apps, too?

Why not use PKCE for backend apps, too?

For SPA/frontend apps, you should be using PKCE these days for OAuth flow. But the backend apps have this additional complexity of having to have a secret key and use that key to talk to the token endpoint. Why not just use PKCE on the backend, too?