But in your scenario, if the user logouts, then the refresh token that belongs to the attacker cannot be used anymore