Access OAuth2 client config in OIDC claim script

I am playing with the AM module and would like to add a new claim to the id token. This new claim needs to be encrypted with secret configured against the OAuth2Client. Is clientProperties[‘customProperties’] in the custom OIDC claim script the only way around this?

imho the entire ID Token should be encrypted, instead of a single attribute within.
Custom properties are not designed to carry secrets.

Thanks for the reply. The reason we need custom claim is since pairwise sub claim does not work well with CIBA flow.
Ex: Generate id token with pairwise sub claim, and if that token is used as id_token_hint for the /bc-authorize , it does not work. Reckon I have created a seperate thread for that.