You can disallow a read on the parent, but allow reads if the ID is known:
"rules": {
"messages": {
// Disallow enumerating list of messages
".read": false,
".write": false,
"$messageID": {
// If you know the messageID you can read the message.
".read": true,
// Cannot overwrite existing messages (optional).
".write": "!data.exists()"
}
}
}
See https://github.com/firebase/firepano for an example app that uses unguessable URLs for security.