Yeah, I've never understood this. I can't think of any operation where I wouldn't want some backend logic in between. Firebase rules don't cut it.
Since you can embed bknd into any stack, and you can hook into system events, there are plenty of options to customize authorization according to your needs.