Interesting. I agree with the other commenter about the post should've included how an account takeover was possible.

You mention one method being a cookie sent to an attacker-controlled domain, but that in itself is a vulnerability given it being incorrectly scoped (missing HTTPOnly & SameSite atleast).

> the auth token is stored in local storage

Has anyone reported this (rhetorical question)? What in the world could be the justification for this?

In my opinion, any full account takeovers due to XSS is a vulnerability, even ignoring XSS. Changing email/password/phone should require verification back to one of those methods. Or at least input of the previous password.