People make stupid mistakes like letting people fetch a refresh-token using prior access-token... Don't do that. It's supposed to only exist through small time intervals. Essentially, if a bad actor steal an access-token they can just keep refreshing the same token indefinetely. Second issue, is people who only uses JWT for everything. Some user actions like changing password should have JWT and TFA before letting users change their password. Depending on the level of security, severity of damage done through one action - Implement more than one auth checks

The main benefit of JWT - is that it reduces DB calls by being stateless, every actions a user take doesn't make the backend request a new user instance