> look for the JWT access token in a revocation list that is only accessed during sensitive, infrequent, requests

I've clearly spent too much time working with data covered by HIPAA because this sentence gave me a brief bit of panic. The vagueness and extent of what it technically covers means it's far safer to just assume literally everything about your users needs maximum security.