The "problem" is that JWTs are just a container format. There's nothing saying they even have to be signed, though they're designed to be more easily signed or encryptable. I've implemented the ridiculous SAML enveloped encryption/signature standard and canonicalization, and honestly, the simplicity of JWT while still providing for resilient security is a fine reason for its popularity when compared to some of the alternatives for federated id/authentication.
The right thing to do is use web standards (like OIDC) and libraries and existing tools (keycloak, ory suite, et al), same as with cookies. You can do the wrong things with both JWTs and cookies, and any other client-identifying technology.
The right thing to do is use web standards (like OIDC) and libraries and existing tools (keycloak, ory suite, et al), same as with cookies. You can do the wrong things with both JWTs and cookies, and any other client-identifying technology.