RFC 9207 introduces a the iss parameter to aid the prevention of mix-up attacks. In short, mix-up attacks can occur if a client using the authorization code grant or implicit grant interacts with more than one AS and one of those AS is malicious. The client is being tricked into sending an authorization request to the malicious AS which then goes on to redirect the client to an honest AS. Once the honest AS returns the authorization code, the malicious AS returns it to the client in the hopes that the client will redeem it at the malicious AS, thereby revealing the authorization code to the malicious AS. The attack is explained in some detail in the OAuth security best current practices

Adding the iss Parameter as described in RFC 9207 allows clients to detect and thwart such an attack. This feature would add an added layer of security without burdening clients that don't support it as they can just ignore the iss information.