json – Cant any database/service be hacked in theory?

If I have to log in to my DB (In my case FireBase RealtimeDB), the login will always be in my code, so how do services secure their DB?

IPS can be spoofed so you cant do it by whitelisting IP, secure tokens even if not visible, the console can be opened and fetched.
And just doing it raw only works in PHP; I don’t use PHP (WebJS Dev)

How the heck are databases secured, and how can I secure my firebase realtime db?