It's not possible to use security rules to limit access to a certain app. If your rules allow read access without requiring a sign-in using Firebase Authentication, then anyone with an internet connection can perform reads.
Minimally, you could require anonymous authentication. But that still would not stop someone from creating an account and using that to read everything without going through the app.
