It’s not possible for me, a non Google employee to create a file that’s hosted on Google.com, or any Google domain and have it read in the browser as text/html, bypassing many a firewall, for example
Yes it is. Via sites.google.com or Google Docs.
These are abused all the time for phishing and malicious threat actors.