If a logged-in user can only read their row in the users table, then you cannot create a collection for the entire users collection (since that would mean that everyone could read the users table). Creating a new instance of Backbone.Firebase.Collection
for a particular URL will immediately try to download all the data at that URL, which will fail because of the security rules.
I recommend using Backbone.Firebase.Model
instead, and creating a new instance for the user, directly at the URL with the user ID included.