Strengthen "Authorization server SHOULD NOT process repeated authorization requests automatically" for public clients

[hickford]

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#name-client-impersonation

The authorization server SHOULD NOT process repeated authorization requests automatically (without active resource owner interaction) without authenticating the client or relying on other measures to ensure that the repeated request comes from the original client and not an impersonator.

How about strengthening this for public clients to MUST NOT?

[hickford]

Mailing list discussion https://mailarchive.ietf.org/arch/msg/oauth/P3snfqtO2Seb8iAYX8rRRu-16Aw/

Does anyone know why this is only SHOULD NOT? For public clients, how about strengthening it to MUST NOT? How else can the authorization server ensure the request comes from the original client, not an impersonator?