Hey there @mhmh33usas welcome to the community!
Great question 
Having the JWKS endpoint publicly available does not introduce a security risk, as the information it provides is meant to be public. The JWKS URL (https://<my-auth0-domain>/.well-known/jwks.json) is standard and adheres to the specifications for OpenID Connect and OAuth 2.0.
JWTs signed with an asymmetric algorithm (RS256 for example) rely on a pair of keys – A private key to sign the token and a public key to verify it. The security of this system relies on keeping the private key secure, while the public key is freely distributed to allow verification of the token’s authenticity.