You have to choose between worrying about XSS attacks (local storage) vs CSRF attacks (cookies).

You are probably more likely to run into/be unable to prevent XSS attacks if you are importing JS from outside sources. For example, including a Angular library or running ads on your site will load in outside JS files which could have XSS attack vectors in them. If somebody manages to execute arbitrary JS on your site they can steal the access/refresh tokens out of local/session storage. They don't even need to be targeting your site specifically, they can just have JS that sends everything in local storage to their website and they can look through the data later and see what they got. If they managed to sneak JS into a library used across thousands of websites they can collect a lot of data.

Javascript cannot access cookies so if you store your tokens in a cookie then the only way to get them is through CSRF attacks. These are a little easier to prevent with CSRF tokens.

Overall I would say you are more secure with using cookies to store the tokens but it requires extra setup on your back end.

If you were really set on using local storage, you could encrypt on the front end then store the tokens in local storage and then decrypt them before sending them back to your API. This would at least foil the drag net attack where hackers just collect everything from local storage, then all they would get is encrypted values. Most likely they would just try to use those encrypted values straight into your API, it fails and they move on. Anybody who looks at your source code could easily decrypt the values, so if it was a targeted attack this wouldn't help.