Any JavaScript code on your page can access local storage: it has no data protection whatsoever. This is the big one for security reasons (as well as my number one pet peeve in recent years).
Ok, but if you're dealing with an XSS attack then any JavaScript on your page can also make network requests using your cookies. Sure, the tokens themselves haven't been stolen, but the attacker can still use them however they want from right there in the browser.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Ok, but if you're dealing with an XSS attack then any JavaScript on your page can also make network requests using your cookies. Sure, the tokens themselves haven't been stolen, but the attacker can still use them however they want from right there in the browser.