Hi! Thank you for the article.
Donald Pipowitch
63

Donald, the primary concern is XSS or any other scripting vulnerability. If JavaScript has full access to the JWT, any scripting vulnerability will allow the attacker to steal the full JWT and act on the user’s behalf. By putting the signature portion of the JWT in a place JavaScript cannot access (HTTPOnly cookie), that risk is minimized.