I am trying to secure my real time database using security rules at specific nodes.

I understand that Firebase rules will apply when I write/ read using my device.

What if the write / read happened to be from Cloud Functions?

If I secured (users) node then does Cloud Functions know that (users) is secured? or it reads and writes anyway?

When you use the Firebase Admin SDK to access Realtime Database, by default it has full read and write access. The assumption with the Admin SDK is that you're running in a privileged environment where the code is fully under your control, and you know exactly what you're doing.

The fact that your code is running in Cloud Functions has no bearing on any of this. It could just as easily be running on your desktop or some other server you control. This is a property of the Admin SDK.

If you want to change the scope of access to Realtime Database, you will have to know the end user's UID, then initialize the SDK to limit the scope of its privilege to that UID using databaseAuthVariableOverride at the time of init.