The auth variable in security rules corresponds to the token used in auth(). This is not specific to Simple Login or to the email/password provider. (Simple Login supports multiple authentication methods, not just this one). $user in your example refers to a $ variable.
Most of this is explained in the security rules overview and I'd highly recommend reading that and the quick start as a primer to working with security rules.
To prevent a user from removing data, simple add newData.exists(), which will ensure that it is not set to null (i.e. deleted).
{
"rules": {
"path_with_no_delete": {
"$record": {
".write": "newData.exists()" // you probably want auth.id in here somewhere too
}
}
}
}