Why are you looking into hiding them? Google “expects” us to use those API keys in a public environment and that’s why they provide the domain whitelisting function. Your API won’t accept calls that are not from the domains you specify.
You also need to setup Security Rules properly, in order to control what can be changed/read and who can do that in the DB.
Once you take those security measures, no one with the API keys can do things that they`re not supposed to