That is one approach, (using firebase) but I am wary of using google services. They discontinue or change products with little warning, and they probably save a copy of everything we send through them. There is a java library that allows you to do it directly from your own server where the message you send is encrypted and we have much more control and privacy. My application involves medical stuff that needs to be hippa compliant. Removing another source that needs another baa
I dont think that firebase cloud messaging, will take much changes. A lots of Android-Apps rely on it.
You could also manually encrypt the message, before sending it via firebase.
But sure, using google-services is in some cases not a deal.
Which java-library you are using for this?