Is it acceptable for any business to allow accounts to be compromised for a half hour?

I'd actually argue that yes, that is acceptable for more businesses than you might think. We're talking about a session staying usable after logging out for 30 minutes in the worst case.

For this to be exploitable, you'll have to jump several other hoops, like accessing localStorage of another application, for example.