[faitswulff]

Agreed - this doesn't seem to make sense to me. And the docs seem to corroborate this:

> Note that .read and .write rules shallower in the database override deeper rules, so read access to /foo/bar/baz would still be granted in this example even if a rule at the path /foo/bar/baz evaluated to false.

https://firebase.google.com/docs/database/security/

This seems unreasonable at first glance. Does anyone know the rationale for it?

[swyx]

I dont speak for the firebase team but this is my rationale: its "just" nested JSON. if you request one node in the JSON and it passes a security rule it gives you the entire node. Having to traverse all children for additional rules would be less performant.