JWT token is always exposed to the client side, whether it's store in
localStorage or in
cookies. I read somewhere sending jwt token through query params in socket
(socket.io) is a bad idea, but why? the token doesn't have the password, I just don't see how it can cause security issue, isn't client side the jwt token is always there?
You are right, JWT tokens are generally accessible on the client side through either cookies or local storage. They generally contain low-risk information such as "Contact Information" or basic user details, so there isn't too much security risk involved.
As for passing it via query strings in Socket.io even though it probably won't be much of a risk, it goes against best practice to include any user information in a readable manner such as query parameters.
This article has a similar viewpoint and a better solution for you if you are curious: