You can have a malware that copies anything stored in the local storage to its own database and transmits to a server as soon as the user goes back online. local storage is just as vulnerable to being read by JavaScript as cookies are.
local storage can be read using JavaScript from the same domain if you control all the JS on the domain, then this shouldn't be a problem. But if any other code is executed (i.e. via injection), they will be able to access the local storage
A persistent threat can stay on a device even when it's offline.
Nobody here is saying that an attacker can easily access your domain's localstorage, but just expressing the sentiment that "storing plaintext passwords is bad in almost any case".
Just like you can store plaintext passwords in your application database, and theoretically they are safe, but if a bad guy gets in your users are screwed, not just on your site but on others.
Exactly. In the very worst case, if local storage is to be used for storing password, it should be stored with asymmetric cryptography so that encryption is done with public key, but decryption can only be done with private key which is stored in the server (And not on the client). With a proper key rotation scheme, this could be an OK solution.
local storage can be read using JavaScript from the same domain if you control all the JS on the domain, then this shouldn't be a problem. But if any other code is executed (i.e. via injection), they will be able to access the local storage