There are many situations in which an access token would be leaked without a refresh token. Even if a refresh token is leaked it’s useless to a malicious user without also having the client secret associated with the app that created that token in the first place. The number of leaked (and still valid) access tokens is a security risk, from my experience the number of leaked refresh tokens along with client secret is very minimal, but I’m sure Twitch have more data on the security implications (either way, minimising a known area of attack is a good move, and indefinite tokens seemed more out of laziness on the part of devs rather than a sufficient need)