Yeah, that was my reaction to a lot of the discussion on this article. Firebase Realtime DB has been one of the most amazing pieces of software I've used. I don't have to worry about the connection details at all, I just have this data store that feels like a local DB except it's "magically" synced with the server, and any other users of the DB "magically" get updates when I change it.

How do you implement ACLs and other privacy-related transformations in that model?

You write Firebase Security Rules [1] that restrict access to paths within your database, it's quite awesome. Those rules can be used to implement ACLs and object ownership, and also role-based access according to claims that exist on the JWT of the authenticated user.

[1] https://firebase.google.com/docs/rules

It could be, but I own it and the roadmap.

The key thing that I can do is await on players decision, so I can block the entire process for multiple people to do things.

And Realm, and couch/pouch