Concerns about a typical JWT setup

From my understanding, the current standard when using JWTs for user sessions is to have a short-lived (expires after maybe 15 minutes) access token and a long-lived refresh token (expires after 24+ hours) which can be used to obtain more access tokens.

There seems to be a handful of reasons for this, the main ones being:

  • To decrease server load regarding authentication and session management.
  • To prevent an attacker from having long term access if they somehow obtain an access token.
  • To prevent new access tokens by revoking refresh tokens.

My concerns are:

  • Why do people think 15 minutes is short enough to prevent an attacker from doing whatever they want? A lot of damage can be done in 15 minutes.
  • If an attacker can obtain an access token, then they can most likely obtain a refresh token as well. This would allow them to obtain any as many access tokens as they need (until someone figures out that the refresh token has been compromised).

Am I missing something here? Or are JWTs not really meant for security? Are they really only meant to decrease server load?