If your application requires authentication, you should just use server-side rendering / routing for ungated views. If those views need to be interactive or whatnot, treat em as small separate frontend apps. Removing as many session management concerns out of the client-side SPA is always nice. You can pretty much get it down to only checking for 401 responses and a cross-tab session tracking mechanism (easily done with localStorage) to prevent impossible states from the user switching sessions.
Great points and I mostly agree with what you stated. I have been experimenting with serverless apps a lot lately. The example code is meant to be a treatment for when you don't have (or don't want) a server to configure. Example being using Firebase hosting with Firebase functions (or AWS Lamda, Google Cloud Functions etc).
Obviously client side routes will never be secure but that is not the point. The example code shows a way to protect your user from accessing routes/components that would not function properly without an authenticated user (Universal User Id and or unique email address).
If your application requires authentication, you should just use server-side rendering / routing for ungated views. If those views need to be interactive or whatnot, treat em as small separate frontend apps. Removing as many session management concerns out of the client-side SPA is always nice. You can pretty much get it down to only checking for 401 responses and a cross-tab session tracking mechanism (easily done with localStorage) to prevent impossible states from the user switching sessions.