If an attacker would obtain a dumb of the database they could read out the OAuth2 client secret trivially.
https://github.com/nextcloud/server/blob/master/apps/oauth2/lib/Controller/OauthApiController.php#L128
While I realise this is a big if it is not that hard to make sure the client secret is stored properly hashed.
Or at the very least make sure it is stored encrypted. (however non recoverable has the preference here I’d say)
An attacker obtaining the read access to a dump of the database can trivially impersonate any OAuth2 client.