Why OpenID Connect let a client initiate authentication for another client
If it's indeed possible in Keycloak then it's a problem of the implementation, not the spec. The Oauth spec in section 4.1.2. indicates this for the authorization code:
The authorization code is bound to the client identifier and redirection URI.
As for the redirect URI it should also be verified and client A should be able to use redirect URI of client B only if that other redirect URI was whitelisted for client A.
The Proof Key for Code Exchange is also something which would prevent such a use of an Oauth flow as you described here.