Since I've never used them, how could API keys for Firebase or Maps be safe for embedding in client side code?

I mean, I get that authentication to the service is performed via other means, but what's the use of the key then?

I'm guessing it's just a matter of binding service invocations to the GCP Project to be billed, by first making sure that the authenticated principal has rights on that project, in order to protect from exfiltration. That would still be a strange use case for what gets called an "API key".