Dude your timing is INSANE, I was literally googling stuff about that right now.
Apparently there are ways to encrypt your API Key in the app but it is never 100% safe, and is considered an “anti pattern” in terms of safety. The only safe solution is to have a server as an intermediary between the app and the API.
For Firebase, you’ve got AppCheck to make sure requests come from the app and nothing else
I believe the user OAuth token is also reset every hour, so as long as security rules include auth restrictions, should be fine
But if anyone more experienced can provide some insights, I am also extremely interested.