It's way easier to protect from CSRF - either via SameSite or Anti forgery tokens.

Stealing tokens via XSS is way harder to solve.