Thanks for the reply!
So I guess my understanding is well enough for that part and getting details would require a look into the code (which I will not do for now).
On the other hand I have some homework to do regarding the different auth flows. For example, I am not even sure if the backchannel config. matters for Standard/Authorization Code flows.
For now I have a working setup with a first client while BACKCHANNEL_DYNAMIC is still false. In my podman network I have now set a DNS alias for keycloak.mydomain.com on the traefik container (not the keycloak container!) so that clients could just use the full frontchannel URI to talk to keycloak (via traefik), which would remove the need for BACKCHANNEL_DYNAMIC anyway and would still keep communication within the container network.
In several aspects I am not even sure if that setup makes a lot of sense: Do clients even directly talk to keycloak when using Authorization Code? If so, is it a sensible approach to run this via frontchannel URI and reverse proxy? I guess I will only find answers when looking into the OIDC Authorization Code message flow, but for now I am content with a working setup.