I am learning Web Push here, then success to build sample notification web app step by step, with Push Companion, now for server side, I am able to send msg to "fcm.googleapis.com", then any client which subscribe that endpoint(fcm.googleapis.com) can get the notification even web page is closed. That's great, but I am concerning with business case, for security reason, it is not possible to send sensitive data to open endpoint such as "fcm.googleapis.com" for company, so is it possible to setup private endpoint to handle message? If yes, for browser side, does 'subscribe' API support to specify endpoint?
If you use the standard (W3C Push API), then the notification payload is sent encrypted to the browser push service (e.g. Firebase, Mozilla autopush, etc), so they cannot read the content. Also, you can even decide to send only a push signal to activate the service worker and then fetch the notification content from your own server.
However note that what I said above is true only if you use the standard. Firebase also offers a proprietary SDK: if you use their SDK to collect subscriptions or to send notifications, then they will able to collect additional information.
Basically, if you don't want to allow Firebase to see your contents, you need to collect subscriptions using your own code and store the endpoints on your own server. Then you can send the notifications with the encrypted payload from your server to Firebase.
As for changing the push service, only Firefox currently supports that (but it is experimental).