We’re exploring Firebase Studio as a replacement for platforms like Replit, Bolt, and Lovable for vibe-coding applications, especially because it offers seamless connectivity to private VPCs. However, one major concern is that apps become publicly accessible by default once published.

Most vibe-coders learn cybersecurity the hard way and often end up blaming the platform, so having secure defaults is crucial. We fully support the direction Google is taking with Firebase Studio, but this issue needs to be addressed. Ideally, Firebase Studio apps should require Google authentication by default, with an explicit option for developers to make an app public only when they choose to.