This does not address how much the JWT header is a security footgun (eg you can inline remote keys into the header). if you are doing something simple you can disable all "advanced" features and be pretty safe but if you are doing something a bit more complex it is not so easy.

The only case where JWTs are actually useful is when the producer and consumer do not share a DB (eg OAuth/OIDC, iot deployments, heavy microservice architectures) otherwise a good cached session store should handle well up to a few orders or magnitude below google scale.