Great question Ty.
You are correct that we store it in LocalStorage. However, it is worth noting that localStorage is bound to the URL that stored it. The only way security could be compromised is in the event of an XSS vulnerability, and we have mitigation strategies in place to prevent that. Additionally, as a part of being a registered Salesforce ISV, our product is reviewed by Salesforce’s security team and any outstanding security issues are remediated prior to certification and listing.
Eventually we would like to remove the need to store the token there, but for reasons such as legacy support, this is tricky. We are reviewing internally and considering making the switch in a future release. Thank you for your honest feedback and for being a member of the Skuid Community!