> I can extract the cookies from the headers, but would have to set them manually on each subsequent request
We have interceptors that would do that for you.
> So there is the issue with persistence, saving it in shared_preferences would result in the refresh token being saved to local storage.
Yes. But unlike the browser, the risk of token theft via XSS is very low on mobile apps.