" Putting them openly naked inside your code will make it easy for hackers to access your Firebase app. Inside our react-app, create a .env.local [...]" - well in fact all variables prefixed with REACT_APP will be incorporated in the final (transpiled) code. So for the convenience, it is a good practice to use .env.* files, but remember that all env variables used in runtime are easy to extract from the javascript code.
" Putting them openly naked inside your code will make it easy for hackers to access your Firebase app. Inside our react-app, create a .env.local [...]" - well in fact all variables prefixed with REACT_APP will be incorporated in the final (transpiled) code. So for the convenience, it is a good practice to use .env.* files, but remember that all env variables used in runtime are easy to extract from the javascript code.
Exactly, this is not a security measure.