This article shows how to use Firebase without the
google-services compile-time plugin. This is not the same as how to use Firebase on a device without Google Play services.
I do have an example for that though:
The things in the JSON file are not secrets. You don’t need to worry if they are stolen as long as you are using security rules and other things properly.
Remote Config is NOT a place to store secrets. Yes it uses HTTPS so you can’t sniff it but someone else could easily call the RC API directly.