Can we please start talking seriously about security around these frameworks. Exposing your DB API directly to the client is opening yourself to the equivalent of "rm -rf /" or "DELETE * FROM table".
I honestly believe that most people ignore that question because they can't convince themselves that someone who can design something like Meteor would create such an obvious security hole.
Edit: If you downvote, please elaborate what I am missing. I really would like to know.
Firebase may have major security problems; they plan on having everything client side, and have given a vague "uh, sure, we've got plans - we'll fix it all with ACLs!" answer, which isn't filling a lot of people with confidence. But they seem like cool guys, and they'll probably figure it out.
Meteor and (I believe) Derby simply don't have this this security issue; it's obvious from the design that they don't, it's a major selling point on Meteor's website that they won't, and the Meteor dev's have explained it in detail. They've even explicitly stated what was already pretty damn clear: There is no ability to drop a database (or similar) from a Meteor client.
In short, Meteor and Derby are both client/server frameworks where the security, validation, and authentication lives on the sever; that is a very well proven design (inasmuch as it's the same used in, you know, every webapp on the planet). And contrary to the parents comment, they DO NOT EXPOSE THEIR DATABASE API TO THE CLIENT.
So the reason people are ignoring the question (and downvoting you) is that you are talking about Meteor (and Derby), and those concerns obviously do not apply. If you want to argue about Firebase's security, you should feel free, but this isn't really the place to do it. :)
I havent claimed that they created an obvious security hole.
I gave the answer why most people dont ask that question while clearly refraining from stating an opinion on the matter, simply because i'm no security expert who can judge if introducing such an api creates additional vulnerabilities even with server side checks(not obvious).
