Embedding Firebase and running client-side operations is the concept of Firebase itself, you create an API key for your app and put it in google-services.json.
It's a public+non-secret file.
Yes you're right, I was under the impression those were more confidential. Still, having 100k firestore url's can't be good, given how hard is is to correctly secure firestore. Also using similar queries, you can try looking for the definitely-not-public serviceAccountKey.json
It's hard to avoid. My project has a firebaseConfig.js.sample file committed as a reminder to the deployer, they need to create their own. And I put firebaseConfig.js into .gitignore in case a developer is careless.
https://github.com/search?q=filename%3AserviceAccountKey.jso...