I couldn't really find a definitive answer to the following question:
Is querying the Firestore database directly (i.e from the front-end app) really secure?
Imagine the scenario where you have all the security rules in place, so users have strict permissions on what they can and cannot do. Even in this scenario, though, what prevents a malicious user from querying the database for "legal" reads thousands and tens of thousands of times thereby incurring a hefty bill? Or in a similar manner, what prevents said user from performing a bunch of write operations?
How should one defend against these kinds of attacks?
If you want to ensure that a malicious user can't just take your configuration data and then use their own code to repeatedly perform an operation to drive up your costs, consider implementing Firebase App Check. While it can't completely rule out such attacks (yet), it'll make them a lot harder to execute.