Conclusion: Never let your Firebase project alone!
Fun Fact:
From the original post:
I had cloudflare in front of my stuff. Hacker found an uncached object and hit it 100M+ times. I stopped that and then they found my origin bucket and hit that directly.
CF Workers can access private bucket storage to keep that more secure but workers are billed per instance/minute.
I think I needed rate limiting too which doesn’t seem to be default.
I can’t risk making a minor config mistake and having it cost me 100k.
Done with cloud.