Plus storing access token in memory would result in doing extra refresh calls every time the user reloads the page + you would have to prevent against CSRF attacks anyway to prevent the refresh endpoint from being called from a malicious site