This shouldn't be possible as the server-to-server request to Facebook to exchange the Authorization Code for an Access Token requires the client_id and client_secret to be provided. Facebook should (though I haven't actually confirmed this) verify that the code was issued to the given client_id. If the code was issued for client 123, when client 456 tries to exchange it for an Access Token Facebook should throw an error.
I think they've always done this redirect. Release artifacts are uploaded to S3 and then their Rails app generates a presigned S3 URL that gives short-term access. This is because the artifacts could belong to a private repo, so access control is required.
This frontend presents them nicely: https://trains.jo-m.ch