Does saving the cookie or jwt token in the browser raise a security risk?

Does saving the cookie or jwt token in the browser raise a security risk?

I have an admin screen, once I access it, it asks for login credentials, then after I login, I get a token that is saved under local storage (see screenshot below)

Noting that I am using edge browser in private mode, when I opem a new tab, I am directly directed to the admin screen without login (which seems normal since token is saved in browser), but the weird thing is that even when I open a new edge browser in private mode I still can see the token when I access the admin url. Few questions here:

1. Is there a security issue here with saving the token on the browser side?
2. I tried to take the token and inject it in burp as a header but the request failed, I am missing something here ?( I tried also adding it as a cookie but didn't work, seems I am missing something here)
3. Is it normal that when opening a new edge browser in private mode it is still loading the token?