I know this question is not anything new, possibly already been discuss all over the internet.
I'm new to it but after some study, I agree that it is safe as anonymous could sniff the Token but unable to append anything on it. I'm planning to store JWT in HTML5Storage, and decode the payload for some in-sensitive information: DisplayName, email_address, and role_info and etc.
Here is my question, could anonymous sniff my JWT Token and act on-behalf of me?
If that is possible, how can I avoid that?
So to answer your question if signed and encrypted with industry secure standards in flight (over the wire) and at rest (ie: database) yes it's secure.
In terms of spoofing as you need to pre-cautions in areas of session jacking and/or token jacking and prevention against things like rainbow tables.
JOSE really is just a standard no matter what standard, what you are really asking is about best practices for security measures, you should refer to OWASP as well https://www.owasp.org/
Does that help clarify your question?