Imaging, I have a web-app called CoolApp that accesses its server via JWT access+refresh tokens. What's stopping the user from grabbing these tokens and then creating their own CustomCoolApp?
For example, what's stopping me from creating a completely custom app for, say, Reddit, making a request to /login, getting JWTs and using them inside my custom app?
Users can only grab jwt token if the provider of the token is public endpoint open to all. If you have control over the endpoint providing jwt token, you can setup basic CORS policies so that only your app will be whitlested and accessible to the endpoints. Here is the sample example for CORS settings https://blog.logrocket.com/using-cors-next-js-handle-cross-origin-requests/