From my understanding, the point of having a refresh token and short lived access tokens is to mitigate the consequences of having the access token stolen. This way, if this happens, the attacker will only be able to use it for a very short duration of time.
However, because refresh tokens and access tokens are usually stored in the exact same way on client-side/JavaScript apps, usually on local storage or session storage, the effort/difficulty of stealing the refresh token is the same as the access token, which means that an attacker can steal the refresh token as easily as he would be able to steal the access token and thus request as many access tokens as he wants until the refresh token expires.
If this is true, then what real difference is there between having a long lived refresh token and a short lived access token versus just having a long lived access token on client-side/JavaScript apps? You could store the refresh token in a secure http-only cookie to prevent XSS attacks but you could do the exact same thing with access tokens.