The token is not always salted when stored

While OIDC-41 did introduce everything required to support and manipulate salted stored tokens, they are not actually salted in practice.

Since OIDC-41 also changed the type of that field to password, only admins can access the value, so the impact is very limited in practice but would still be better to go all the way.