If you're building an app, such as a social media app, where other users can view user information (display_name, photo_url, etc.), you should set read to true in the users collection of your Firestore rules.
However, this also allows access to the email field in the users collection, but I don't want to expose the email.
You cannot view the email unless you retrieve it, but it is possible to access it, so I think there is a security concern.
Firestore doesn't allow read access control at the field level, so in this case I'm thinking of creating a separate collection (e.g. public_users) that will be exposed to other users, and making the users collection private.
Does anyone know of a better way?