I'm in this project in which I access firestore through AngularFire2, so this doubt bothers me a bit.
Let's suppose that I'm using valueChanges method, but I only need one document, so I make a client side filter despite fetching the whole collection. The other documents may contain private information. Can the user access their data through a proxy or variable mapping (I don't know hacker techniques), or they're encrypted?
If a document is returned to the client as part of a query, that means it will be loaded into memory at some point, unencrypted. If your app is running on a compromised device, or the user of that device has "root" or "admin" access of some sort, the memory could be dumped in that instant, and the contents of the documents exposed.
If the user can't be trusted to read a document under any circumstance, then you should be using security rules to prevent that user from reading the document.