Having spent literally days trying the different, various recommended ways to do this, I've landed on what I think is the most simple and promising. Also thanks to the kind gents from this SO question: Get the index ID of an item in Firebase AngularFire

Curent setup

Users can log in with email and social networks, so when they create a record, it saves the userId as a sort of foreign key.

Good so far. But I want to create a rule so twitter2934392 cannot read facebook63203497's records.

Off to the security panel

Match the IDs on the backend

Unfortunately, the docs are inconsistent with the method from is firebase user id unique per provider (facebook, twitter, password) which suggest appending the social network to the ID. The docs expect you to create a different rule for each of the login method's ids. Why anyone using >1 login method would want to do that is beyond me.

(From: https://www.firebase.com/docs/security/rule-expressions/auth.html)

So I'll try to match the concatenated auth.provider with auth.id to the record in userId for the respective registry item.

According to the API, this should be as easy as

In my case using $registry instead of $user of course.

{
  "rules": {
    ".read": true,
    ".write": true,
    "registry": {
      "$registry": {
        ".read": "$registry == auth.id"
      }
    }
  }
}

But that won't work, because (see the first image above), AngularFire sets each record under an index value. In the image above, it's 0. Here's where things get complicated.

Also, I can't test anything in the simulator, as I cannot edit {some: 'json'} To even authenticate. The input box rejects any input.

My best guess is the following.

{
  "rules": {
    ".write": true,
    "registry": {
      "$registry": {
        ".read": "data.child('userId').val() == (auth.provider + auth.id)"
      }
    }
  }
}

Which both throws authentication errors and simultaneously grants full read access to all users. I'm losing my mind. What am I supposed to do here?