So, I've seen this post: How to protect firebase Cloud Function HTTP endpoint to allow only Firebase authenticated users?
Essentially the HTTPS endpoint validates that it's from an authorized use by ensuring Bearer token/Firebase ID is in the Authorization HTTP header.
I'm wondering, if someone found this Firebase ID, wouldn't this HTTP endpoint be compromised? Ie, they could pass a bearer token with Authorization: Bearer <Firebase ID Token>
I've seen other methodologies which would use the Firebase realtime database as an API itself which might be more secure.
Curious if I'm missing something here.