If you follow common security steps then there’s no reason to assume doing the refresh step through a server rather than client side would be insecure (and the number of server-side apps on Twitch that have never had security issues, and all do refreshing server-side, should be evident that it’s not something to be afraid of).
While I’m sure witch have data on the security side of this, it’s not the sort of thing they disclose as it’s one of those things they keep quiet on for obvious reasons. So we may never get to see the exact reasoning and stats for why refresh tokens were implemented, but at least they have given us more than enough warning and have been telling us for ages that refresh tokens are going to happen.