What is the intent of allowing arbitrary document assignment to any other global user in the system, with zero default security checks in place? That seems like a fundamentally terrible idea. Other sharing systems require explicit steps to share documents between users (sharing a Google doc with an email address, for example), and it's a very controlled workflow. In Firestore, user IDs are global, and you can arbitrarily give them data? Even if you can get around this with specific security rules, why is this even a thing in the first place?
Kinda the opposite - Firestore documents don't inherently have a userId of the owner. Rather, they just have arbitrary fields.
Making all your documents have a `owner_uid` or `userId` field is just a convention they recommend, because it helps you write rules.
So rather: they have no default system for handling documents that can only be accessed by a given user, but rather you have to construct it using `firestore.rules`, and you end up with something oddly default-insecure.
