The spec today does not include the words "cache" or "caching". I think that because the spec relies on fetch, standard HTTP caching applies and it would be normal for an IdP to permit caching (using Cache-Control) unconditionally on config and well-known endpoints, to permit caching on the account endpoint with Vary: Cookie and even potentially on the id assertion endpoint.

It's not clear if browsers do any additional caching beyond what is explicitly permitted by IdPs in Cache-Control headers.

It would be helpful for the specification in the "Identity Provider HTTP API" section to touch on caching briefly. This could be as simple as updating the response examples to include HTTP headers, not just the response body, including Cache-Control and Vary headers and a few explanatory words about how an IdP might implement caching.