Hi @tamuhey,
Welcome to the Community!
Yes. With the re-use detection capability of RTR they can be stored in localstorage. If you aren’t currently using auth0-spa-js SDK, I would recommend taking a look to see if it fits your use-case:
https://auth0.com/docs/libraries/auth0-spa-js#use-rotating-refresh-tokens
If a non-rotating refresh token was compromised in an xss attack an attacker could make requests with this token without any automatic mechanism for detecting and revoking the token. RTR adds a mechanism for automatically revoking a token that is compromised. This is explained at length in our blog:
The added security of RTR comes from their rotating nature, not just their lifetime. This prevents a token from being used simultaneously by an attacker and an authenticated user. More on that in the blog I linked.