Is it possible that Firebase credentials are exposed?

If an Ionic 3 app is essentially transpiled code, is it possible that my Firebase credentials can be found and used to insert/create bad data?

If it is on your mobile app (APK/IPK) . then no.

If you put it on the web as a PWA then Yes-kinda. You should only expose the www folder not your “src” folder to the web.

If by credentials you mean this:

let config = {
    apiKey: "<API_KEY>",
    authDomain: "<PROJECT_ID>",
    databaseURL: "https://<DATABASE_NAME>",
    storageBucket: "<BUCKET>",
    messagingSenderId: "<SENDER_ID>",

Then yes, everybody who has the app (no matter whether it’s a Cordova app or web app) can access this config. It’s what is needed for the app to interact with your Firebase project.

To control who can read and write to/from your database, use authentication and database rules.

Most importantly, never put the login credentials of the Firebase console anywhere in the source code.

See here for more information on database rules: