In my opinion, JWTs aren't insecure by default. Rather, they have the ability to be insecure via the
none algorithm, while in practice, no one ever uses the
none algorithm and FusionAuth doesn't even support it. In most cases, JWTs are only signed and there is an entirely separate specification for encryption, which is quite complex.
Paseto on the other hand is always secure via signing or encryption. Having signing and encryption baked into a simpler specification is a plus. That doesn't necessarily mean that JWTs are bad though. And certainly FusionAuth's support for JWTs is always secure via signing.