So you're saying that all server-side data that all apps using Firebase want to store should be stored centrally on Firebase owned servers. i.e since trusted user/pw hashes must be stored on a server to be matched against and the only server we have is the one that Firebase provides, all apps using Firebase will store these hashes on central servers owned by Firebase.. That sounds like a really bad idea.