How about session hijacking? Can't attackers still use valid tokens even if the end user´s latch is closed?

That depends on how your service is integrated with Latch. The most commonly described scenario is authentication, when your service only communicates with Latch at the moment of checking credentials. However, you can make calls to Latch at any point in your authorization architecture, when you believe a critical operation is being performed.