I think it is not a security vulnerability because it only shows uid and email not password. These informations are already shown in Chrome developer console. It is not sth to someone knows the email address of your app user. idToken is important here.
I suggest you to use Firebase App Check in your apps. With reCaptcha and App Check Firebase accepts requests only from your app.
And also change idToken with refresh token periodically at specific time.
It’s true that password is not shown, but uid, email and others metadata still are private informations, mo one should see without user permission. The Composer, as far I know, doesn’t have tools to control this behavior.
Despite that, thanks for suggesting the Firebase Apps Check. I read about and I think it should help prevent attacks.