I've tried Firebase before but I don't use it. The user was able to send a request to Firebase with someone else's userID, changing the ownership of a Boost. This is exactly why you should to use the auth session's userID on the server-side (as Firebase provides via auth.uid), rather than trusting any userID sent from the client.
And somehow at the end of the blog they mentioned moving away from Firebase. It's an admission of not fully understanding how to secure Firebase properly in the first place. And they took more than a day for a few lines patch.
The browser's tab/design etc paradigm itself, I didn't find anything useful, lot of Twitter hype from idiots. And I don't think they are capable of maintaining security. I installed it to see what the hype was all about, the design personally didn't set with me and moreover my email was mandatory. Go to hell.