Will allow further security validation and early detection of security checks failures.

To give an example of why this is important,
I use a Firebase Collection as an API alternative, I create a task record that triggers a cloud function, it allows me to manage my resources effectively and provide partial updates, way more flexible than traditional REST, however with API I use bearer tokens to verify that the identity of the person creating the record and deciding if they are allowed or 401, without UID in record metadata I have to send the plain UID as a field in the record and trust it blindly on the server side, or worse send the user token in plain text as a field for verification.