It’s not about keys or modes, it’s about the rules they didn’t set up. Everyone uses firebase like that. Those “keys” are required to allow you to connect to the correct firebase app, nothing more. You don’t get any direct special permission to do things on the database or storage.
Here some more info about the rules: https://firebase.google.com/docs/database/security
But make sure you just switched firebase to production mode.
In my case, the firebase was in development mode and the data is available public!
https://yoginth.com/college-hack#mitigations