Correct usage and storage of social IdP access tokens for a Single Page App

Hi, thanks in advance and I hope this is not a duplicate.

I am developing a Next.JS SPA and already using Auth0 to handle authentication with the option for sign in with Google. Now I would like to integrate the web app with Google Drive so users can store the files they create to Google Drive. I have read the documentation around Identity Provider Access Tokens and can successfully retrieve the user’s access token using the Management API and a Lambda function, but I am not entirely sure how to now correctly use it with the Google API securely.

Normally when handling a secret for authentication, I would set it to a HTTP only cookie, but if I do that in this case, then the Google API client will not be able to access it. I could return the token within the body of a request and hold it as a runtime variable, but is this secure? I am wondering if I ensure the code is correctly closed (i.e. the variable storing the access token is never part of the global scope) then no nasty browser extensions can access it?