If your worry is based on the fact that you actually supply the API key and Database URL in Thunkable project and this will be available in the Android APK when recompiled then using Google account authentication should clear the worry as you will not supply any API keys for Firebase and will use either an HTML file to authenticate or a server based approach such as GCP (Google Cloud Platform) and therefore your Firebase API keys will not be in the project anymore.
As I pointed out previously, the drawback of this approach is that you have to use APIs to read/write data to Firebase and not the normal Thunkable blocks.