Any values stored in memory are still vulnerable to XSS attacks since they’re accessible by JavaScript. Agreed?
Agreed. The main difference is that localStorage makes it even easier to enumerate the contents. The point of this is just to avoid a brute force XSS attack from being able to dump your localStorage somewhere else that could allow it to be used for nefarious purposes. Storing in memory just makes it so someone has to go through the extra effort of targeting your app specifically. But yes, memory is still susceptible to XSS attacks.
There is a certain amount of risk inherent in using SPAs and security. Not storing the tokens is just one good practice to add to others, like limit the duration of the tokens meant for the front-end and also limit the information and permissions that these tokens carry. Or, if your application architecture permits it, keep tokens in the browser and use cookie authentication coupled with a backend.