Some good information here, though it applies to any application, not just node. In general a lot of this should be common sense in terms of security. However, usually newer developers, sometimes expediency in getting things done will often lead to scenarios that are much less than secure.
One of the reasons I like using something like React on the client (most UI frameworks are similar) is that by default rendering will not be open to client-side injection. For the server side, all API calls via JSON.parse, and all parameterized queries is your best defense.
Another major offense I've seen a lot, is private/secure data in the JWT payload, which is *NOT* encrypted, only base64 encoded and signed.