How to use Auth0 SDK inside of React Class Component

I think you are correct in suggesting that state is still vulnerable, but it is less vulnerable than web storage because of it’s app-specific nature. This is outlined by one of our senior support engineers here: