Great points and I mostly agree with what you stated. I have been experimenting with serverless apps a lot lately. The example code is meant to be a treatment for when you don't have (or don't want) a server to configure. Example being using Firebase hosting with Firebase functions (or AWS Lamda, Google Cloud Functions etc).
Obviously client side routes will never be secure but that is not the point. The example code shows a way to protect your user from accessing routes/components that would not function properly without an authenticated user (Universal User Id and or unique email address).
Obviously client side routes will never be secure but that is not the point. The example code shows a way to protect your user from accessing routes/components that would not function properly without an authenticated user (Universal User Id and or unique email address).