You're right, API key is public. But there is nothing wrong with it, as in Firebase world the client-side API key is merely an identifier your apps use to talk to Firebase services and the real authorization happens with the help of Firebase Auth + Security rules.
Once the user logs in on the client a short-lived JWT token is issued by Firebase Auth, that token is passed with every request to RTDB, Firestore or Storage and Security Rules are used to authorize or not the action.
You're right, API key is public. But there is nothing wrong with it, as in Firebase world the client-side API key is merely an identifier your apps use to talk to Firebase services and the real authorization happens with the help of Firebase Auth + Security rules.
Once the user logs in on the client a short-lived JWT token is issued by Firebase Auth, that token is passed with every request to RTDB, Firestore or Storage and Security Rules are used to authorize or not the action.
You can read more here RTDB and Firestore