JavaScript

How easy (or difficult) will it be for an attacker to steal an access_token from local storage?

C token-based authentication is an interesting story. The fact is that for the server in this situation, it doesn’t matter who tries to access the protected data, but if you sent the token , then you have the right to receive this data.
It is enough for an attacker to steal your token - your account is compromised.
The choice for storing the token on the client lies between local storage(session storage) and cookie.
As far as I know, there are no more options.
And both of these methods are hemorrhoids (they do not have any default protection against certain types of attacks).
Suppose I logged into your application and received a token from the authorization service.
Then I see two options:
1) the design of the application is such that you put the token in local storage(session storage)
2) the design of the application is such that you put the token in a cookie (this does not contradict the concept of REST, since cookies are a storage mechanism and there is nothing contradictory about storing token in cookies)
There are two questions:
1) how can I, being an attacker, get access to your local storage?
2) How can I, being an attacker, access your cookies?
It just seems to me that in order to understand what measures to take to protect against all kinds of attacks, it would be nice to understand how they are usually done and how easy or difficult it is.