Access tokens are acquired in the background and never expire unless user logs out. Is there a way to log user out after certain period of time/inactivity?
You could change TokenLifetimePolicy of the token lifetime defaults. For the full documentation, see here. Follow the answer to create and set the Token Lifetime Policy.
@azure/msal-angular uses implicit grant flow which receives user tokens in url fragments, which seems not secure. Is auth code a better way to go about it?
Yes, auth code flow is better. As the doc shows, "There are a few important security considerations to take into account when using the implicit flow specifically around client and user impersonation". Auth code flow enables apps to securely acquire access_tokens that can be used to access resources secured by the Microsoft identity platform endpoint, as well as refresh tokens to get additional access_tokens and ID tokens for the signed-in user. You could use auth code flow with PKCE, this is the sample.