Is it safe to pass jwt token validation result by req.locals

Question

I need to implement a custom authorization logic in my express app. So, I have an authorization middleware that receives and checks if the JWT token is valid, if it is valid and not expired, then it returns with next() function to the next request. If it is expired, then it automatically takes the refresh token and replace the invalid access token with a new one, again goes to the next request. But different than classical approach of authorization, I don't want it to return an 401 Unauthorized status if the there is no token or no way to refresh the token, simply user is not logged in. I have a custom template engine that dynamically changes the content of the page considering the authorization status of the user, like displaying a limited page to the visitors and full page to the logged-in members.

For satisfying this needs, I was thinking about assigning a variable in the req.locals object, something that can be accesible in the template engine function like this;

options.request.locals.isLoggedIn

So with this way, my Auth middleware does not return a 401 Unauthorized response anymore, goes to the next request in any condition, but also passing the jwt token validation result with the locals object. However, I don't know if it is anyway possible for that approach to create security vulnerabilities. While I am verifying the JWT token in my authorization middleware, passing the auth result to the next request(which is the custom template engine itself) with req.locals is safe or just a vulnerable approach? Are there anyway for someone to manipulate that information in the req.locals object, and let's say access to the restricted content that should be provided only for logged-in users?