The client ID can be provided safely to your users client side. In order to do a successful OpenID Connect flow, Okta needs to send the JWT tokens to a specific callback mentioned on the initial request to the authorization endpoint. This URL needs to be whitelisted in the OpenID Connect application in Okta under Admin >> Applications >> openid app >> General >> Login Redirect URIs.
Any attempts to modify the callback endpoint without whitelisting it in the application’s settings will result in an error on Okta’s end, preventing as such possible phishing attempts.