I want to know the extent that firestore caches security rule evaluations of get() lookups when executing a query or across queries. I feel that the docs, while they do mention cacheing occurs, do not detail the specifics of when it happens or how queries incur particular read costs.

My question is therefore is, on a given query where many documents are requested, will an applicable firestore rule always cache results of get() if that get() is to the same document across the query?

For instance, I have an image collection where each image doc should logically belong to a project (ie project field in the doc). I want an image doc to be secured such that its viewed only by people who are “assigned” to that project, so i structure my data like this:

images collection:

"imgxyz": {
  name: "img1",
  url: "xyz.com",
  snapshot:"bbb",
  project: "aaa",
}
"imgzyx": {
  name: "img2",
  url: "zyx.com",
  snapshot:"bbb",
  project: "aaa",
}

users collection:

"uid1": {
  userName: "img2",
  email: "zyx.com",
  projects: ["aaa","bbb"],
}

then the rules:

service cloud.firestore {
  match /databases/{database}/documents {
  
    function canViewImage() {
    
        let userProjects = get(/databases/$(database)/documents/users/$(request.auth.uid)).data.projects;
        let requestedDocProject = request.resource.data.project;
        return requestedDocProject in userProjects;
    }
  }
}

with the above, how would a query like .where("snapshot", "==", "bbb") perform from a security rules cost standpoint, if the retrieved image docs were in the thousands? Would I incur just 1 additional read for the get() lookup of the user, provided to all rule evals of the image doc? or would it be equal to the amount of image docs.

Further, what if the queries were individually called, ie .get("imgxyz") then right after .get("imgzyx"), how would the cacheing work then?

note: i saw this question, but didnt feel that it sufficeintly explained when/why security rules would cache results.

Thank you in advance!