[JonDevOps]

The security rule for reading user profiles has been changed to allow read: if true;, granting public read access to all user profile documents. This exposes sensitive user information, including email addresses, notification preferences, bio, skills, and social links, to any visitor (even unauthenticated ones), which is a significant privacy violation and could be used for mass data harvesting. Please confirm if this is the intended behavior. If some profile fields should remain private, consider splitting the user profile into public and private subcollections.

Originally posted by @gemini-code-assist[bot] in #469 (comment)