> I'd like to know what 'allow' means when stated with conditions within security rules.
`allow read:...`, `allow write:...`, `allow get:...`, `allow <op>: ...` are all just part of a statement that defines when the specified <op> is allowed on a matching document. The operation on the document is allowed when the condition on the right side of the statement `allow <op>: if <condition>` evaluates to true for any rule matching the document.
> I was thinking that a conditioned allow-read statement would permit a user to read from the relevant collection, but only those documents that match the condition.
I think what you are asking is if security rules will filter your Firestore query results? The answer is no, "you cannot write a query for all the documents in a collection and expect Cloud Firestore to return only the documents that the current client has permission to access." It's important to understand that the security rule will deny an entire collection read (or query read) if the security rule *could possibly* evaluate to false for a document in the query result. The documentation and examples demonstrate this concept: https://firebase.google.com/docs/firestore/security/rules-conditions#rules_are_not_filters