Can you expand on the security considerations?

[LifeIsStrange]

you might be thinking you can already share a global state with a simple export const state = reactive({}). This is true for single page applications but exposes your application to security vulnerabilities if it is server side rendered.

https://pinia.esm.dev/introduction.html#why-should-i-use-pinia
@posva

[posva]

You should be able to find proper docs in Nuxt or Vue SSR docs. Here are some search tems that should help you: ssr shared state. Basically, depending on how you do SSR, you could end up sharing the global state between two request, which could expose tokens.