Firefox knows where all its windows are, of course, but that’s not the potential issue being raised. The problem is allowing untrusted javascript access to that info. Luckily, Firefox doesn’t do that, it only allows you (JavaScript author) window information for the windows you’ve directly opened in code.
Actually I don't think Firefox knows the position of the window in Wayland. I thought that coordinates of windows were considered as a compositor concern and not shared with the client.
Better even: the parent window knows the position of it's child window. So firefox only knows the one window. And that in a situation where you actively had to allow the permission for the parent to spawn the child in the first place.