Firebase ACLs are a constant source of vulnerabilities largely because they are confusing and don't have enough documentation around them.