how do I write a working firestore collection group security rule for write/delete

Question

either I'm doing something wrong or firestore security rules for collection groups don't seem to be working as intended. The following rule allows me to add a doc to a notes collection but when I try to read it I get missing or insufficient permissions

match /{path=**}/notes/{notedoc} {
    allow write: if false;
    allow read: if false;
}

I need request.auth.uid != null to be able to read, create, and update and only request.auth.uid != null && request.auth.token.superadmin == true; to be able to delete. Any ideas what I'm doing wrong?

I've simplified the rules above, but the following also allows users to delete notes

match /{path=**}/notes/{notedoc} {
      allow create: if request.auth.uid != null;
      allow update: if request.auth.uid != null;
      allow delete: if false;
      allow get: if request.auth.uid != null;
      allow list: if request.auth.uid != null;
    }