You're absolutely correct, Storing JWT tokens in memory on the client side is faster and gives developers more control, but it can be less secure against certain types of attacks. On the other hand, using HTTP-only and secure cookies is safer because it prevents some types of attacks, but it's a bit slower and more automatic.
In both cases, whether you store the token in memory or use HTTP-only, secure cookies, if an attacker can access the request headers, they can potentially copy the token.
In simple terms:
In-Memory Storage: Quick and under your control but can be risky if not protected from attacks.
HTTP-only, Secure Cookies: Safer, but a bit slower and more automatic.
The best choice depends on your project's needs, but sometimes it's smart to use both for a balance of speed and security.