barnabysurely it just transfers all the token leakage risk to the refresh token, and depending on how short-lived the access tokens are, a little-used client might end up making more refresh token exchange requests than API requests with the access token in
