Changing client access-type from 'public' to 'confidential' breaks CORS?

Hope I’ve chosen the right place for this; sorry if I’m wrong.
I’m working on a react app that uses keycloak. When the client access-type is set to ‘public’, everything works fine. If I change the client access-type to ‘confidential’, my react app suddenly starts throwing CORS error messages.

I have added the appropriate client-secret to the keycloak.json file that my react app uses, but this doesn’t appear to have altered the behaviour in any way.

Is there something I’m missing? I am quite new to keycloak; loving it so far, but was unfortunately able to find any other resources online to help me debug this issue.

Why would you use a confidential access type for a public client?
If you put a secret in your keycloak.json file that is readable by everybody that can access your public app how is this still confidential?

A public client is the way to go for a SPA

The fault is probably on me, here.
I have been working under the assumption that my front-end and back-end would use the same ‘client’.

A ‘public’ client for the frontend and a different, confidential client for my back-end sounds more sensible. Feeling a bit silly for not having realised this earlier. Thanks!