I got the idea from the Auth0 documentation regarding storing OAuth/OIDC tokens. It reads:
Auth0 recommends storing tokens in browser memory as the most secure option. Using Web Workers to handle the transmission and storage of tokens is the best way to protect the tokens, as Web Workers run in a separate global scope than the rest of the application. Use Auth0 SPA SDK whose default storage option is in-memory storage leveraging Web Workers.
I can see how this is better than just putting the token or other sensitive information in
localstorage an XSS attack needs only to execute
localStorage.token to get the token.
Now, if you’re not familiar with tokens just apply this reasoning to any sensitive to information. In my case I want to build a client-side cache mapping user IDs to usernames for an administrative interface, but I realize that client IDs and usernames are somewhat sensitive, so I wondered if I could “hide” the data.