Have you only tried npm start or have you done a production build and tested this?
For example:
npm run build followed by npx serve build will run the compiled production-ready app (not run in dev mode.)
Also note, the all the firebase details (apiKey, host, apiID, etc.) are all visible client-side—they are embedded in the code. Check out: