From what I have read, it is a requirement to include client_secret.
Below RFC describe how refresh token works.
(G) The client requests a new access token by authenticating with
the authorization server and presenting the refresh token. The
client authentication requirements are based on the client type
and on the authorization server policies.
(H) The authorization server authenticates the client and validates
the refresh token, and if valid, issues a new access token (and,
optionally, a new refresh token).
When you are requesting a new access token with refresh token, client authentication is required based on client type.
If we read more here:
If the client was issued a secret, then the client must authenticate this request.
I hope this info helps you to understand.