You can also store a JWT in localStorage and require an additional secure signature for it within a cookie (http-only). Best of both worlds.

If doing that, why not go full-mode and store JWT in cookie with http-only flag?

There are good uses for page content to know what's in the JWT (display username, show logged-in status, etc). Cookies also have stricter size limits. Additionally, cookies by themselves are uniquely vulnerable to CSRF, although I guess these days using SameSite property correctly mitigates that.

You can prevent CSRF attacks by simply requiring a custom HTTP header: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re...

True, although in the vast majority of cases JWTs are sent via HTTP headers (specially if you're making requests to multiple domains).