The purpose of the Hybrid Flow with the code token response type is that the client can obtain a restricted access token immediately from the Authorization Endpoint (like in the Implicit Flow) and is still able to get a more powerful access token from the Token Endpoint in an additional round trip (like in the Authorization Code Flow).
As you correctly point out, the security of the first token isn't optimal. The token is revealed to the browser, and the Client hasn't authenticated towards the Authorization Server at this point. So the Access Token should be restricted as much as possible. However, depending on your use case, it may still be beneficial for the Client to get this restricted Access Token immediately from the Authorization Endpoint.
If the Client needs more extensive access, then it's supposed to use the Token Endpoint. In this extra step, it is possible for the Authorization Server to require Client authentication, and the token isn't revealed to the browser. Both justifies making the access tokens more powerful.
Also see the explanation in the OIDC Core specification.
3.3.3.8. Access Token
If an Access Token is returned from both the Authorization Endpoint and from the Token Endpoint, which is the case for the response_type values code token and code id_token token, their values MAY be the same or they MAY be different. Note that different Access Tokens might be returned be due to the different security characteristics of the two endpoints and the lifetimes and the access to resources granted by them might also be different.
