Looks like the author of oauthlib interpreted the spec this way. The section on the Resource Owner Password Credentials grant type (https://www.rfc-editor.org/rfc/rfc6749#section-4.3) says:
(B) The client requests an access token from the authorization
server's token endpoint by including the credentials received
from the resource owner. When making the request, the client
authenticates with the authorization server.
Note that it suggests that the client authenticates but it does not use the MUST keyword in that last sentence. Just below that there's slightly more elaborate text (https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2) saying:
If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
Note the "If the client is confidential", this time implying that public clients may use this grant type too, which makes sense.
So I believe this is due to a too strict interpretation of the wording in the specs.