Came to say largely the same. Now there's an extra latency on every request for user validation, compared to PKI signed jwt.

Even with a day caching server, there's potentially a lot more traffic. Especially behind systems like GraphQL that are then making many requests behind the scenes. Vs just passing the jwt as-is.

Reach it those backing services now has to communicate with the with system.

I usually include roles in the jwt too. No lookup, just PKI trusted authority.... Shorter token lifetimes, etc.

Most things won't need secondary lookups.