Sorry to come back to this, but after more thinking, it looks like the only safe way is to ask every user of a client app to create himself the client id + secret, and enter both in the app at runtime
In other words, doing as if every user developed his own app.
That's because whatever encryption/keys/server you use, it's always possible to decrypt everything in an apk and extract the keys.
... But then, what is the whole purpose of having client credentials ? A single user-specific secret is enough to also identify an app...
Anyway, this type of discussion already occurred at F-Droid, and they rejected the option of having private configuration file for these very same reasons.
So, I'm gonna build myself the apk with a private config file, and don't distribute the apk with f-droid; it's far from perfect because the keys may still be hacked, and the app's users will not have any guarantee about the software source as with f-droid, but at least they'll be able to play go on android