security rules

I'm writing a Flutter app and I want to allow a client running the app, to read and write files to R2 storage in a private bucket. Is it possible that a "hacker" could figure out the keys and paths or whatever that give access to the R2 storage and start using my R2 storage for their own purposes?