No, the uid can be retrieved under auth.uid in the rules. This is server side. Take this rules for example:
"users": {
"$uid": {
".read": "$uid === auth.uid", <--------------------------------
"online": {
".read": "auth != null",
".write": "$uid === auth.uid"
},
The arrow indicates the line I mean. It does not matter if you got someone else his UID, because when you try to retrieve data with that rule, it will fail because there is a mismatch. The auth.uid is server side and as far as I know, is pretty good protected. He can change his own UID client side and try to retrieve data, but with security rules you can prevent data exchange.
It is all about the rules you define. When you define the rule at the arrow, you do not have to worry.
