The domains allowed for authentication that the Thiado Bocchile spoke, has to do only with the Authentication, that is, in the case of javascript frontend development, even if they download your entire page, it will not be possible if Authenticate through this page because it is not in an allowed location(if Voce has removed the clear localhost) but this is not enough, as it is not possible to hide the access data from firebase (even if you "hide" on the server and search at runtime the access data for this search will be available in the js file) you need to protect the data and files through the Authorisations users, to allow only users Authenticated can access the data, and only the data that each user has Authorization, otherwise, the "invader" can for example access the data even without authentication, or with any user, created on the page itself (or as Anonimo), the security in firebase only works by uniting Authentication with Authorization, any carelessness, and someone can read and erase all your data with 3 lines of code.
ps. although I have said that "hiding" the data on the server does not solve, it helps a little because it is more difficult for the attacker to know what is looking for in his code, by default it is only he search for the word apiKey that he finds even in the minified code all the access information.
Security’s all over the Rules...
– Rodrigo Araujo Lima