auth0.getTokenSilently vs storing access token in localstorage

Hi !

I have been reading a lot these last days about oauth2/accessToken/localStorage/cookies/xss/csrf and i learned a lot of things while reading.

I’m only sceptical about one thing in Auth0 documentation: Auth0 Single Page App SDK

In the " Change storage options" section, you mention :
“Storing tokens in browser local storage provides persistence across page refreshes and browser tabs. However, if an attacker can achieve running JavaScript in the SPA using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage.”

However, in the “Call an API” section, you mention this method:

const accessToken = await auth0.getTokenSilently();

//The attacker could create auth0 variable with
const auth0 = new Auth0Client({
  domain: '{yourDomain}',
  clientId: '{yourClientId}'
});
//And then get the token + fetch data from API. 

My question is, what does prevent an XSS attacker from calling const accessToken = await auth0.getTokenSilently() in a script (instead of localstorage) and then using it to call APIs ?

Thanks in advance and don’t hesitate to tell me if my question is not clear.