It is therefore possible to limit writes as mentioned above. However, it is still impossible to limit reads, especially on public data.
The solution I'm thinking of implementing is to create a NestJS API (or similar) that takes a Firebase Query as input and executes it.
This also requires taking into account real time reads with websockets and update/create/delete operation.
This is a real shame, as the promise of firebase is to dispense with the need for an API. But with this system, it could be easy to implement external tools like CloudFlare or Google Cloud Armor to protect against DDOS.
The solution isn't ideal, however; if a security rule made this possible, it would be better.
You can vote for this feature and post comments to ask the Firebase team to speed up development on it.