I'm curious about this as well. When I hear "without writing any server code" in the demo video, my mind says that this is client-side validation, which does not suggest it is secure to me. What server-side validation happens under the hood to deal with modified clients/proxies like Burp?
Here's a little secret. The security rules you, as a Firebase developer, write for your Firebase, are actually server-side validation code. It just doesn't look like typical code, and we've carefully designed them to have a lot of good properties regarding performance, correctness, and analyzability. And we (Firebase) take care of enforcing them for you.
But it /is/ server-side validation, that you as a developer get to specify.
(That said, we're definitely happy to get feedback on our approach from any security experts out there that want to take a look!)