Yeah but if you need features like Cloud Functions or SMS auth you have to give your credit card... with no spending limit... and the standard practice is to expose your firebase creds on the client... and their stated stance is its better to let you get attacked and then maybe waive the charges than to interrupt service to your site for a few hours... lol. Your recourse is to go viral on social media and get them to forgive the debt.
Supabase does. It has a spending cap, so you won't wake up to a 100k bill if you get hacked. An app I recently consulted for used fireabase SMS auth. Someone spammed their sign-in page and they were hit with multiple 4-figure charges. Firebase refuses to refund of course. Its a great model until it really, really isn't.
As a small dev firebase is horrifying.