I agree that this is ultimately a problem with developers lacking security knowledge and general understanding, but my issue with Firestore specifically is that it is a powerful tool that, while it can be adopted as part of a carefully considered tech stack, lends itself most naturally towards being a blunt force instrument used by these kinds of developers.

My main criticism of Firestore is that it offers a powerful feature set that is both extremely attractive to amateur or constrained developers while simultaneously doing a poor job of guiding said amateurs towards creating a secure and well designed backend. In particular, the seemingly expected use case of the technology as something directly interfaced with by apps and other clients, as evidenced by the substantial support and feature set for this use case, is the main issue. This no-code no-management client driven interaction model makes it especially attractive to these developers.

This lack of indirection through an API Gateway or service, however, imposes additional design considerations largely delegated to the security rules which can easily be missed by a beginner. For example:

1. Many examples of amateurs take an open-by-default approach, only applying access and write restrictions where necessary and miss data that should be restricted
2. Some amateurs deploy databases with no access or write restrictions at all
3. There is no way to only allow a "view" of a document to a request, instead a separate document and security rules containing the private fields needs to be created. This can be fairly simple to design around but seems to be a bit of a "gotcha", plus if you have similar but non identical sets of data that needs to be accessible by different groups it must be duplicated and manually synchronized.
4. Since there is no way to version data models, incompatible changes require complicated workarounds or an increasingly complicated deserialization process on the client side (especially as existing clients continue to write outdated models).
5. Schema validation of data written by clients to the database is handled by security rules, which is seemingly unintuitive or missed by many developers because I've seen plenty of projects miss it
6. If clients are writing data directly, it can become fairly complex to handle and subsequently maintain their contributions, especially if the aforementioned private data documents are required or the data model changes.

All of these pitfalls can be worked around (although I would still argue for some layer of indirection at least for writes), but at this point I've been contracted to 2 or 3 projects worked on by "professionals" (derogatory) that failed to account for any of these issues and I absolutely sick to death of it. I think a measure of a tools quality is whether it guides a developer towards good practices by design and I have found Firestore to completely fail in that regard. I think it can be used well, and it is perfectly appropriate for small inconsequential (as in data leaks would be inconsequential) single developer projects, but it almost never is.

You know that's not the Tea code, but the downloader, right?

When the technical side reaches a certain level of security, the humans become the weakest link.

this man ssh'd in on a five-digit port

modern day devs being overworked

And then there is meningspunktet.dk which had all the time in the world to do whatever they wanted, and even get their hosting paid for by a university. They still leaked everyones email, phone, full legal name and location on day one and only fixed it because I pointed it out.

https://drkt.eu/files/ramblings/meningspunktet-dk.html

Yeah the whole config thing in that project was an eldritch horror of a legacy, too ingrained in both the services and tooling to be modified without massive rewrites