> Just please for the love of all that's good and pretty, don't store a JWT in a httpOnly cookie.

Depends on who is saying, I've read the same thing but the other way around. Never store a JWT in LocalStorage and always store it in a httpOnly cookie.