You can limit firebase to access from only a certain domains. Even though you can get around it using server-side code, the browser environment on a user’s computer accessing a different domain will not be able to connect to your firebase database directly.
So, in order to capture a user’s password, they’ll need to intercept it on their own server and then route it to the firebase by pretending to be the same domain as yours.
How’s that any different from a regular phishing attack, where say you have your own Web API layer.
Hopefully, this answers your Q. Or maybe I’m missing the exact scenario you have in your mind and I didn’t fully understand it.
Let me know and keep the feedback coming.