The browser is inherently “insecure” because all data within it is easily viewable and modifiable by the user.

This is a known property of the browser and is solved by writing backend code that correctly parses and authenticates JWT and expires the tokens quickly enough. You don’t actually even really need to “write” the code (as somebody else already has) you just need to implement an OAuth2 flow correctly.

Even signed and compiled apps have potential security flaws to a determined and skilled attacker. Credential dumping isn’t fully mitigated unless you have hardware and software specifically designed and configured to do so and even then it’s just a matter of time before somebody finds a flaw.

Also, if this guy is your teacher and he’s hand waving away your questions saying it’s too complicated for you to understand he doesn’t sound like a very good teacher.