In general, it is recommended not to store update tokens on local storage. (auth0)
Although I know the underlying threats, what I don't know is if there is any alternative on how to store those tokens to have persistence between user sessions when the api server is different from the client. If the tokens are only stored in memory, the user will have to log in each time they visit the site.
Finally, I think update token rotation would mitigate the risk of token theft anyway. In light of that, the above recommendation does not seem very valid.