It depends on how you define a "secure session". There are two issues at play here.
Transport level security: The Firebase JS client communicates with the servers over HTTPS. Additonally, Firebase has a security rules system that lets you specify which clients can read and write which data.
Application level integrity: However, the client is free to make whatever changes it is authorized to, even if they are not triggered by your JS code. For example, in a web page, I can open the developer console and use the Firebase API to make data changes that aren't part of the web page's logic.
To tackle the latter, you'll need a server where you can run trusted code to enforce game state. For instance, every move made by a client in the game should be first put into a "pending" queue. A server process should monitor all pending changes, validate them and them move them to a "final" game state location which will be the authoritative game state.