True, but it would be tricky.

Wouldn’t the attacker have find a way to extract the code_verifier from local storage and pass it along with the hijacked redirect?

They would have to somehow have the ability to write custom js code on the path they are redirecting to. I guess this is possible on sites that don’t sanitize user inputs.