It’s no different from cookies, I suppose. If you manage to inject XSS - nothing is safe client side. Do you have an alternative? Where should we store session/user information?

My approach to JWT tokens is to make them short-living and refresh often: not 100% safe, but at least most tokens would have expired by the time the attacker manages to make use of them.