Excuse me if I've missed something. But surely having your API key inside the create-react-app will expose your backend to abuse.
Oh none at all, you're right on point. I've also wondered the same thing until I came to this post:
I won't put anything into my Firebase project except for this tutorial, so for all purpose I think it will be fine.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.