How does Firebase security compare to Supabase security?

Firebase uses a custom rules language to define access control, while Supabase uses PostgreSQL Row Level Security policies written in SQL. Firebase rules are evaluated in a sandboxed environment and cannot perform joins or complex queries, while Supabase RLS policies have full access to SQL including subqueries and functions. Both platforms require explicit security configuration and are not secure by default. Firebase offers a Rules Playground for testing, while Supabase provides an RLS debugger in the dashboard. UNPWNED scans both Firebase and Supabase projects, detecting platform-specific misconfigurations for each.