With DynamoDB you can batch process table updates and selectively send WebSocket updates through API Gateway, vs Firestore which sends everything and can only process records individually in order. Firestore pricing is cheaper (18 cents per GB vs 25 cents for DDB) but the bandwidth/retrieval costs are higher.
I used firestore in production and it scaled beautifully to 10k concurrent users (many physical classrooms with all students connected, mainly during US school hours). My main issues were storage/bandwidth costs which were substantial for a relatively high traffic application using Firepad (https://firepad.io/), and the cold starts/monitoring for Firebase functions. The trade-off for our small startup was clearly time - with Firebase we could turn a hackathon's worth of time into a fully-managed service that required virtually zero maintenance, and customize it to our specific problem quite easily (albeit exposing much of our application logic as client JS), while handling a handful of backend processes like payment processing with Firebase functions.
Nowadays you can build the same fully-managed no-maintenance service on AWS and get access to a far greater range of services and data centers. However they have by no means tackled the web console user experience like Firebase consistently has.
You REALLY want to do data validation and permissions/authorization server side. Never trust the client! It's fine also to do client-side checking, but you must do server-side.
It's moderately easy with Firebase (haven't used Firestore).
I'm definitely interested to see if there's anything for AppSync beyond the checking that the GraphQL schema does (NOTE: I am not an expert in GraphQL schema, it may be a lot more powerful than I know), or if you have to write your own Lambda at that point. Does look like that's easy, though!
I've been using the serverless.com tools for quite a while now, and they're fantastic. Really glad to have this!
You can use a combination of multiple auth schemes for coarse grained authorization. But, you can also implement your own fine-grained checks at the resolver level. See the AppSync Security documentation at https://docs.aws.amazon.com/appsync/latest/devguide/security...
Whereas Firestore is a NoSQL dB with awesome triggers and subscriptions, AppSync is a hosted GraphQL endpoint for many data stores. You can query one endpoint to get data from DynamoDB, RDS, an HTTP server and more sources.
https://firebase.google.com/docs/firestore/query-data/listen