Do you want the token to be available in more than one browser tab? If so, localstorage or cookies is the way to go. If you want to limit access to a single tab, then sessionstorage is the way to go.
Security is a whole other matter. One is not necessarily more secure than the other. There are some arguments that local/session storage can be less secure than cookies if HttpOnly is used on the cookies since then it can't be read by JavaScript, so it can't be accessed by a client-side script without going through some unorthodox measures, whereas local/session storage are designed to be read by JavaScript.
The question to ask is: if an unauthorized person gets the access token, how would you prevent them from using it? It's a valid token, right? Seems like you'd need more than just the access token alone. This is the problem security experts have been dealing with for a very long time, and very elaborate schemes exist to make things more secure. How far do you go, though? The answer to that depends on what it is you're protecting. Financial and health data, for example, are things you take extra measures to secure.