depends on the grant type and what scenario we're talking about. things change if we're talking about 3-legged oauth or client-device oauth. for example, in an authorization code flow, the refresh token is useless without the client id/secret.

more providers are making refresh-tokens single shot. this means that if someone refreshes your token for you, your own auth will break as you will not be eligible to refresh the token, at which point you could reconnect the app and void the old (stolen) session.

time-limiting and single-purposing the tokens are not cure-alls, but they do certainly offer enhanced security by limiting the amount and scope of damage.