How dangerous is storing sensitive information in LocalStorage?

The attack would take the form of javascript loaded from another domain, but executed in the target domains page.

ie I load a script from compromised.advertiser.com/adverts.js and it runs "read local storage and send info to hackers.com"

HttpOnly cookies cant be read by javascript

Just an example of why it isn't a good idea

Really well explained at the beginning, just want to add an example to keep in your pocket.

Indeed, LocalStorage is not a good place in order to store sensitive information.

It doesn't matter if you are a guy in China with only one browser session, still there are ways in order to collect the user data, e.g performing a XSS Attack (as mentioned before).

Let's take as an example of a Stored XSS Attack, you live in China and just logged in to buy a product on an e-commerce website. An Attacker plays the role of being a vendor. When filling the product forms, it adds a malicious script that gets stored in a database along with the product description, name, etc.

When you view that product page, that script will be retrieved along the PDP (Product Description Page) data, browser executes the script, part of the script tries to look for the user refresh token that is located inside the LocalStorage and sends it to a specific domain in real time.

The attacker now has your refresh token, which means he can request a new access token and perform operations or even include that fragment inside the malicious script.

That's why is always a good practice to store sensitive information via HTTP Only Cookies, they are not readable via JS code.