Web Workers (or Service Workers) may prevent exfiltration of access and/or refresh tokens, which is great. They do not solve the fundamental problem of the client being a public client though, which means that an attacker can just obtain their own set of tokens.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#section-8.2
