Many years ago developers had to use special Firebase Service Account(json file) with private key to upload dSYM files to Crashlytics. But nowadays, you have to provide only app id which is bundled with the app and is public.
Does it mean that anybody can upload any dSYM file for any Firebase app? If so, is this a security vulnerability because attacker can upload fake symbols to prevent Crashlytics from correctly symbolicating crash reports?