Developer Questions

Hello, after my user signed in and i fetch the payload i've got the user_token and wallet address. is it okay to store the user_token client side ? im wondering if a 3rd party if obtained the user_token could do some bad stuff with it like pushing malicious sign requests to the user ?

Thank you !