I have a protected collection that has nested data in it:
match /appUsers/{uid} { allow read: if isSignedIn(request.auth) && isAdmin(request.auth)
