I’m assuming that in your second paragraph when you mention JWT you’re referring to an access token. Have in mind that neither access tokens nor refresh tokens need to be JWT’s; that’s an implementation detail between the authorization server and resource server for the access token case and just an implementation detail of the authorization server in the refresh token case.
If only the access token is leaked then the attacker will be able to use that access token (assuming it is a bearer token) to call the resource servers (aka API’s) for which the access token is valid and until the access token expires (assuming there is no additional mechanism that support access token revocation/blacklisting).
From the Auth0 perspective and in relation to access tokens currently there is no support for revocation/blacklisting. However, the attacker would still only be able to use it until it expires and is not possible to get a new access token using only another access token (even if valid).
In order to renew an access token, you’ll need the refresh token. In general and in the Auth0 case also, refresh tokens are valid until manually revoked so if your application leaks a refresh token an attacker could be able to use it to obtain access tokens forever or until it would be manually revoked.
In conclusion, the scenario of renewing an access token with just another access token does not apply.