Keeping a JWT in localStorage doesn't just open you up to XSS, it also opens you up to session hijacking (a much more severe vulnerability imo). If someone/-thing grabs that token, then it has free access to your API for X amount of time. And since detecting that a 3rd party's or extension's script is reading something from your localStorage is impossible, then they can simply wait for the user to renew their session and attack again.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Keeping a JWT in localStorage doesn't just open you up to XSS, it also opens you up to session hijacking (a much more severe vulnerability imo). If someone/-thing grabs that token, then it has free access to your API for X amount of time. And since detecting that a 3rd party's or extension's script is reading something from your localStorage is impossible, then they can simply wait for the user to renew their session and attack again.