How does Firebase identify my application and prevent other apps from impersonating my app?

Question

I have created a project in Firebase and registered my app. I send data messages to this app. I do not want to have any user authentication on my app. However, I do want that all my FCM data messages be handled only by my app. No other app be able to access my data messages.

So, my question is - How does Firebase ensure that the app which is registering with my project is the intended app?

If it is based on package name, then I can very well create a dummy app and name it exactly the way as the app I'm trying to spoof. Isn't this a big security flaw?

I can decompile the APK to get all the required config for the google-services.json. So, what stops someone from tricking my Firebase project into registering their app and getting access to all the data messages?

I created a dummy app and was able to reproduce the above. The dummy app successfully received the data message.

I do see something called App ID for my app in the Firebase project settings, but this isn't something I provided while setup. So, this is something Firebase generated. So, this wouldn't be a way to verify the app I assume.