not really. The JWT is stored in httpOnly cookie. So the JS on the frontend can't read it anyway. If somehow it's stolen, then the attacker can use it to access APIs (and get / modify any user info), regardless of if it's a JWE or JWS