They can create a different user and modify that user's data which is fine. However they won't be able to get hold of that anonymous user's data. You can ensure that only that specific user (identified by the unique user id) can access his/her own data by setting the following rule. Each anonymous user has a unique uid:
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid",
// You can do the same for reads.
".read": "$user_id === auth.uid"
Check the docs for more on this: https://firebase.google.com/docs/database/security/user-security
This protects that a user signed in into your real app, anonymously, will not have their data accessed externally by some phishing app.
However, you can't protect against someone using your API key and signing up anonymous users. If you want a more secure sign-in mechanism, you can look into the OAuth providers or phone sign-in which have origin verification mechanisms.