In general it's recommended not to store refresh tokens in local storage. The Auth0 documentation advises against it.
Even though I am aware of the underlying threats, what I am not aware is if there are any alternatives as to how to store those tokens in order to have persistence within the duration of a user's session when the API server is different than the client. If the tokens are only stored in memory, then the user will have to login every time he closes a tab for example and later on visits the site again.
Finally, I think anyway the refresh token rotation would mitigate the risk of having the tokens stolen. So in the lights of that, the above recommendation doesn't look very valid.