These hit pieces against JWT are exhausting. They keep stirring up old fearmongering narratives which were disproved ages ago. JWTs are ideal for many situations. It's difficult to overstate how much simpler and more efficient JWTs are compared to having to keep track of session IDs on the backend. It's not just about scalability bottlenecks; a common problem with sessions is that there are multiple scenarios which can cause stale sessions to be left behind and, therefore, cause them to accumulate (and thus lead to a memory leak in your data store); this means that you need to set up cron jobs to clean those up periodically.

Also, the additional overhead (and latency) of having to call a service asynchronously to check if a user is authenticated can add up and makes the service easier to DoS.

While it's true that it's difficult to revoke JWT tokens to ban users, there are multiple ways around it which are still much simpler than the alternative of having to maintain an additional system to maintain sessions on the back end. For example, for many scenarios, you could issue JWTs with short (e.g. 10 to 30 minute) expiries and you could issue/refresh them periodically so that they will not expire while the user is online.

To ban a user, you would just need to stop issuing new tokens to that user and their ban would take effect in a few minutes; this is fine for a lot of use cases.

For situations where urgent bans are necessary, you could always keep an IP blacklist; while this may require an additional DB (or data store) lookup, blacklists are very low-maintenance because they don't require constant refreshing, updating and cleaning as sessions do.