> A lot of times local storage is much less secure than using cookies.

Is it? If an attacker can't do XSS then it's as strong as cookies.

Supply chain attacks aren't an argument here because they can also happen with cookies. CSRF as well. The same can happen in actual executable binaries.

I don't get the 20 yr age argument:

- HttpOnly fights XSS which is impossible to execute with modern frontend frameworks.

- SameSite fights CSRF but the real solution is to disable loading the website in iframes (remember clickjacking?).

- Secure fights MITM which is already fixed by default when using local storage and HSTS is the real deal.

Having said that, I'd say that local storage is more secure than cookies (no need to remember whether you put Secure on or not). Unless you're still using PHP, which means touch grass.