Section 5 (OID4VP) has this bullet point indicating A128GCM must be supported:

The JWE enc (encryption algorithm) header parameter (see Section 4.1.2 of [RFC7516]) value A128GCM (as defined in Section 5.3 of [RFC7518]) MUST be supported.

I suggest that it be changed to A256GCM instead. This primitive is probably available everywhere A128GCM is available and when reading through issue #112 I did not see any arguments for a downgrade other than what I believe to be an erroneous "strength matching" argument. Strength matching arguments are tenuous at best, especially when mixing different kinds of cryptography. In particular here, for example, P-256 is actually considered "stronger" than AES-128, so AES-128 is a downgrade, see: https://mailarchive.ietf.org/arch/msg/jose/fZdQ9qQ9ZISnxx54Cv2qEKq4fuI/

Unless there are significant implementations / systems where A256GCM is infeasible to use, it would be simpler to require this single strength everywhere instead.