Do I need extra security checks rather than firebase provides?

[ahmetyaziciDEFY]

In my app I have appCheck, and also authentication is done with signInWithEmailAndPassword method (auth token is auto assigned) , and the authorization is done via claims ({ role: 'Admin' } ext.). In my cloud functions I check the auth and app, and if needed the role via claims.Also I have some firestore rules in my database which does everything I want to do. But I wonder if there i anything extra I need to do in order to secure my app from attacks like XSS or CSRF. Any comment is appreciated.