To access secrets from cloud functions, Google provides the Secret Manager API:

Secret Manager stores API keys, passwords, certificates, and other sensitive data. It provides convenience while improving security.

On the other hand Firebase suggests storing secrets via its Environment configuration API as explicitly mentioned in its docs and examples:

Often you'll need additional configuration for your functions, such as third-party API keys or tuneable settings. The Firebase SDK for Cloud Functions offers built-in environment configuration to make it easy to store and retrieve this type of data for your project.

Question:

Firebase's configuration API appears to be more simplistic in the way it handles data and is also free of charge, which makes it attractive to be used for Firebase projects instead of the Secret Manager API.

What are the advantages and drawbacks when comparing the two APIs in the context of a firebase project? Most importantly, are there any drawbacks in terms of security when utilizing Firebase's configuration API over the the Secret Manager API?

The major differences aside from what you’ve pointed out is that Secret Manager has features like auditing, fine-gained access controls, versioning, and multi-regional replication.

I'm going to file an internal issue about making a "comparison" page to make this clearer.